User Guide for AsyncOS 9.0.1 for Cisco Web …...Contents 2 AsyncOS 9.0.1 for Cisco Web Security...

Cisco Systems, Inc.www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide

Published: January 27, 2016 Revised: August 18, 2017

http://www.cisco.com

http://www.cisco.com/go/offices

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product includes software written by Tim Hudson ([email protected]).

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide© 2017 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarks

1AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide

C O N T E N T S

C H A P T E R 1 Introduction to the Product and the Release 1-1

Introduction to the Web Security Appliance 1-1

What’s New 1-1

What’s New in Cisco AsyncOS 9.0.1 1-1

What’s New in Cisco AsyncOS 9.0.1-162 (GD) 1-1

What’s New in Cisco AsyncOS 9.0.1-161 (GD - for physical appliances only) 1-2

What’s New in Cisco AsyncOS 9.0.1-135 (ED) 1-2

Related Topics 1-2

Using the Appliance Web Interface 1-2

Web Interface Browser Requirements 1-3

Enabling Access to the Web Interface on Virtual Appliances 1-3

Accessing the Appliance Web Interface 1-3

Committing Changes in the Web Interface 1-4

Clearing Changes in the Web Interface 1-4

The Cisco SensorBase Network 1-4

SensorBase Benefits and Privacy 1-5

Enabling Participation in The Cisco SensorBase Network 1-6

C H A P T E R 2 Connect, Install, and Configure 2-1

Overview of Connect, Install, and Configure 2-1

Deploying a Virtual Appliance 2-2

Migrating from a Physical to a Virtual Appliance 2-2

Comparison of Modes of Operation 2-2

Task Overview for Connecting, Installing, and Configuring 2-6

Connecting the Appliance 2-6

Gathering Setup Information 2-8

System Setup Wizard 2-10

System Setup Wizard Reference Information 2-11

Network / System Settings 2-11

Network / Network Context 2-12

Network / Cloud Connector Settings 2-12

Network / Network Interfaces and Wiring 2-13

Contents


Network / Layer 4 Traffic Monitor Wiring 2-13

Network / Routes for Management and Data Traffic 2-14

Network / Transparent Connection Settings 2-14

Network /Administrative Settings 2-15

Security / Security Settings 2-15

Upstream Proxies 2-16

Upstream Proxies Task Overview 2-16

Creating Proxy Groups for Upstream Proxies 2-16

Network Interfaces 2-17

IP Address Versions 2-18

Enabling or Changing Network Interfaces 2-18

Configuring Failover Groups for High Availability 2-20

Add Failover Group 2-20

Edit High Availability Global Settings 2-21

View Status of Failover Groups 2-21

Using the P2 Data Interface for Web Proxy Data 2-21

Configuring TCP/IP Traffic Routes 2-22

Modifying the Default Route 2-23

Adding a Route 2-24

Saving and Loading Routing Tables 2-24

Deleting a Route 2-24

Configuring Transparent Redirection 2-24

Specifying a Transparent Redirection Device 2-24

Configuring WCCP Services 2-25

Increasing Interface Capacity Using VLANs 2-28

Configuring and Managing VLANs 2-28

Redirect Hostname and System Hostname 2-30

Changing the Redirect Hostname 2-31

Changing the System Hostname 2-31

Configuring SMTP Relay Host Settings 2-31

Configuring an SMTP Relay Host 2-32

DNS Settings 2-32

Split DNS 2-32

Clearing the DNS Cache 2-32

Editing DNS Settings 2-33

Troubleshooting Connect, Install, and Configure 2-34

C H A P T E R 3 Connect the Appliance to a Cisco Cloud Web Security Proxy 3-1

How to Configure and Use Features in Cloud Connector Mode 3-1

Contents


Deployment in Cloud Connector Mode 3-2

Configuring the Cloud Connector 3-2

Controlling Web Access Using Directory Groups in the Cloud 3-5

Bypassing the Cloud Proxy Server 3-5

Partial Support for FTP and HTTPS in Cloud Connector Mode 3-5

Preventing Loss of Secure Data 3-6

Viewing Group and User Names and IP Addresses 3-6

Subscribing to Cloud Connector Logs 3-6

Identification Profiles and Authentication with Cloud Web Security Connector 3-7

Identifying Machines for Policy Application 3-7

Guest Access for Unauthenticated Users 3-8

C H A P T E R 4 Intercepting Web Requests 4-1

Overview of Intercepting Web Requests 4-1

Tasks for Intercepting Web Requests 4-2

Best Practices for Intercepting Web Requests 4-2

Web Proxy Options for Intercepting Web Requests 4-3

Configuring Web Proxy Settings 4-3

Web Proxy Cache 4-5

Clearing the Web Proxy Cache 4-5

Removing URLs from the Web Proxy Cache 4-6

Specifying Domains or URLs that the Web Proxy never Caches 4-6

Choosing The Web Proxy Cache Mode 4-7

Web Proxy IP Spoofing 4-8

Web Proxy Custom Headers 4-9

Adding Custom Headers To Web Requests 4-9

Web Proxy Bypassing 4-10

Web Proxy Bypassing for Web Requests 4-10

Configuring Web Proxy Bypassing for Web Requests 4-10

Configuring Web Proxy Bypassing for Applications 4-10

Web Proxy Usage Agreement 4-11

Client Options for Redirecting Web Requests 4-11

Using PAC Files with Client Applications 4-11

Options For Publishing Proxy Auto-Config (PAC) Files 4-11

Client Options For Finding Proxy Auto-Config (PAC) Files 4-12

Automatic PAC File Detection 4-12

Hosting PAC Files on the Web Security Appliance 4-12

Specifying PAC Files in Client Applications 4-13

Contents


Configuring a PAC File Location Manually in Clients 4-13

Detecting the PAC File Automatically in Clients 4-13

FTP Proxy Services 4-14

Overview of FTP Proxy Services 4-14

Enabling and Configuring the FTP Proxy 4-14

SOCKS Proxy Services 4-16

Overview of SOCKS Proxy Services 4-16

Enabling Processing of SOCKS Traffic 4-17

Configuring the SOCKS Proxy 4-17

Creating SOCKS Policies 4-17

Troubleshooting Intercepting Requests 4-18

C H A P T E R 5 Acquire End-User Credentials 5-1

Overview of Acquire End-User Credentials 5-1

Authentication Task Overview 5-2

Authentication Best Practices 5-2

Authentication Planning 5-2

Active Directory/Kerberos 5-3

Active Directory/Basic 5-4

Active Directory/NTLMSSP 5-5

LDAP/Basic 5-5

Identifying Users Transparently 5-5

Understanding Transparent User Identification 5-6

Rules and Guidelines for Transparent User Identification 5-8

Configuring Transparent User Identification 5-9

Using the CLI to Configure Advanced Transparent User Identification Settings 5-9

Configuring Single-Sign-on 5-10

Authentication Realms 5-10

External Authentication 5-11

Configuring External Authentication through an LDAP Server 5-11

Enabling RADIUS External Authentication 5-11

Creating an Active Directory Realm for Kerberos Authentication Scheme 5-11

How to Create an Active Directory Authentication Realm (NTLMSSP and Basic) 5-14

Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-14

About Using Multiple NTLM Realms and Domains 5-14

Creating an Active Directory Authentication Realm (NTLMSSP and Basic) 5-15

Creating an LDAP Authentication Realm 5-16

About Deleting Authentication Realms 5-21

Configuring Global Authentication Settings 5-21

Contents


Authentication Sequences 5-26

About Authentication Sequences 5-27

Creating Authentication Sequences 5-27

Editing And Reordering Authentication Sequences 5-28

Deleting Authentication Sequences 5-28

Failed Authentication 5-28

About Failed Authentication 5-29

Bypassing Authentication with Problematic User Agents 5-29

Bypassing Authentication 5-31

Permitting Unauthenticated Traffic While Authentication Service is Unavailable 5-31

Granting Guest Access After Failed Authentication 5-31

Define an Identification Profile that Supports Guest Access 5-32

Use an Identification Profile that Supports Guest Access in a Policy 5-32

Configure How Guest User Details are Logged 5-32

Failed Authorization: Allowing Re-Authentication with Different Credentials 5-33

About Allowing Re-Authentication with Different Credentials 5-33

Allowing Re-Authentication with Different Credentials 5-33

Tracking Identified Users 5-33

Supported Authentication Surrogates for Explicit Requests 5-34

Supported Authentication Surrogates for Transparent Requests 5-34

Tracking Re-Authenticated Users 5-34

Credentials 5-35

Tracking Credentials for Reuse During a Session 5-35

Authentication and Authorization Failures 5-36

Credential Format 5-36

Credential Encryption for Basic Authentication 5-36

About Credential Encryption for Basic Authentication 5-36

Configuring Credential Encryption 5-36

Troubleshooting Authentication 5-37

C H A P T E R 6 Classify End-Users and Client Software 6-1

Overview of Classify Users and Client Software 6-1

Classify Users and Client Software: Best Practices 6-2

Identification Profile Criteria 6-2

Classifying Users and Client Software 6-3

Enable/Disable an Identity 6-8

Identification Profiles and Authentication 6-8

Troubleshooting Identification Profiles 6-10

Contents


C H A P T E R 7 SaaS Access Control 7-1

Overview of SaaS Access Control 7-1

Configuring the Appliance as an Identity Provider 7-2

Using SaaS Access Control and Multiple Appliances 7-4

Creating SaaS Application Authentication Policies 7-4

Configuring End-user Access to the Single Sign-on URL 7-6

C H A P T E R 8 Integrate the Cisco Identity Services Engine 8-1

Overview of the Identity Services Engine Service 8-1

About pxGrid 8-1

About the ISE Server Deployment and Failover 8-2

Identity Services Engine Certificates 8-2

Using Self-signed Certificates 8-3

Using CA-signed Certificates 8-3

Tasks for Certifying and Integrating the ISE Service 8-3

Connect to the ISE Services 8-6

Troubleshooting Identity Services Engine Problems 8-7

C H A P T E R 9 Classify URLs for Policy Application 9-1

Overview of Categorizing URL Transactions 9-1

Categorization of Failed URL Transactions 9-2

Enabling the Dynamic Content Analysis Engine 9-2

Uncategorized URLs 9-2

Matching URLs to URL Categories 9-3

Reporting Uncategorized and Misclassified URLs 9-3

URL Categories Database 9-3

Configuring the URL Filtering Engine 9-4

Managing Updates to the Set of URL Categories 9-4

Understanding the Impacts of URL Category Set Updates 9-5

Effects of URL Category Set Changes on Policy Group Membership 9-5

Effects of URL Category Set Updates on Filtering Actions in Policies 9-5

Merged Categories - Examples 9-6

Controlling Updates to the URL Category Set 9-7

Manually Updating the URL Category Set 9-7

Default Settings for New and Changed Categories 9-8

Verifying Existing Settings and/or Making Changes 9-8

Receiving Alerts About Category and Policy Changes 9-8

Responding to Alerts about URL Category Set Updates 9-8

Contents


Filtering Transactions Using URL Categories 9-9

Configuring URL Filters for Access Policy Groups 9-9

Exceptions to Blocking for Embedded and Referred Content 9-11

Configuring URL Filters for Decryption Policy Groups 9-12

Configuring URL Filters for Data Security Policy Groups 9-13

Creating and Editing Custom URL Categories 9-14

Filtering Adult Content 9-16

Enforcing Safe Searches and Site Content Ratings 9-17

Logging Adult Content Access 9-18

Redirecting Traffic in the Access Policies 9-18

Logging and Reporting 9-19

Warning Users and Allowing Them to Continue 9-19

Configuring Settings for the End-User Filtering Warning Page 9-19

Creating Time Based URL Filters 9-20

Viewing URL Filtering Activity 9-21

Understanding Unfiltered and Uncategorized Data 9-21

URL Category Logging in Access Logs 9-21

Regular Expressions 9-21

Forming Regular Expressions 9-22

Guidelines for Avoiding Validation Failures 9-23

Regular Expression Character Table 9-24

URL Category Descriptions 9-25

C H A P T E R 10 Create Policies to Control Internet Requests 10-1

Overview of Policies: Control Intercepted Internet Requests 10-1

Intercepted HTTP/HTTPS Request Processing 10-2

Managing Web Requests Through Policies Task Overview 10-3

Managing Web Requests Through Policies Best Practices 10-3

Policies 10-3

Policy Types 10-4

Policy Order 10-6

Creating a Policy 10-7

Adding and Editing Secure Group Tags for a Policy 10-10

Policy Configuration 10-10

Block, Allow, or Redirect Transaction Requests 10-14

Client Applications 10-14

About Client Applications 10-14

Using Client Applications in Policies 10-15

Contents


Exempting Client Applications from Authentication 10-16

Time Ranges and Quotas 10-16

Time Ranges for Policies and Acceptable Use Controls 10-16

Creating a Time Range 10-16

Time and Volume Quotas 10-17

Volume Quota Calculations 10-18

Time Quota Calculations 10-18

Defining Time and Volume Quotas 10-18

Access Control by URL Category 10-19

Using URL Categories to Identify Web Requests 10-19

Using URL Categories to Action Web Request 10-19

Remote Users 10-20

About Remote Users 10-20

How to Configure Identification of Remote Users 10-21

Configuring Identification of Remote Users 10-21

Display Remote User Status and Statistics for ASAs 10-22

Troubleshooting Policies 10-23

C H A P T E R 11 Create Decryption Policies to Control HTTPS Traffic 11-1

Overview of Create Decryption Policies to Control HTTPS Traffic 11-1

Managing HTTPS Traffic through Decryption Policies Task Overview 11-2

Managing HTTPS Traffic through Decryption Policies Best Practices 11-2

Decryption Policies 11-2

Enabling the HTTPS Proxy 11-4

Controlling HTTPS Traffic 11-6

Configuring Decryption Options 11-8

Authentication and HTTPS Connections 11-8

Root Certificates 11-8

Managing Certificate Validation and Decryption for HTTPS 11-9

Valid Certificates 11-9

Invalid Certificate Handling 11-10

Uploading a Root Certificate and Key 11-10

Generating a Certificate and Key for the HTTPS Proxy 11-11

Configuring Invalid Certificate Handling 11-11

Options for Certificate Revocation Status Checking 11-12

Enabling Real-Time Revocation Status Checking 11-13

Trusted Root Certificates 11-13

Adding Certificates to the Trusted List 11-14

Removing Certificates from the Trusted List 11-14

Contents


Routing HTTPS Traffic 11-14

Troubleshooting Decryption/HTTPS/Certificates 11-15

C H A P T E R 12 Scan Outbound Traffic for Existing Infections 12-1

Overview of Scanning Outbound Traffic 12-1

User Experience When Requests Are Blocked by the DVS Engine 12-1

Understanding Upload Requests 12-2

Criteria for Group Membership 12-2

Matching Client Requests to Outbound Malware Scanning Policy Groups 12-2

Creating Outbound Malware Scanning Policies 12-3

Controlling Upload Requests 12-4

Logging of DVS Scanning 12-6

C H A P T E R 13 Configuring Security Services 13-1

Overview of Configuring Security Services 13-1

Overview of Web Reputation Filters 13-2

Web Reputation Scores 13-2

Understanding How Web Reputation Filtering Works 13-2

Web Reputation in Access Policies 13-3

Web Reputation in Decryption Policies 13-4

Web Reputation in Cisco IronPort Data Security Policies 13-4

Overview of Anti-Malware Scanning 13-4

Understanding How the DVS Engine Works 13-4

Working with Multiple Malware Verdicts 13-5

Webroot Scanning 13-5

McAfee Scanning 13-6

Matching Virus Signature Patterns 13-6

Heuristic Analysis 13-6

McAfee Categories 13-6

Sophos Scanning 13-6

Understanding Adaptive Scanning 13-7

Adaptive Scanning and Access Policies 13-7

Enabling Anti-Malware and Reputation Filters 13-7

Configuring Anti-Malware and Reputation in Policies 13-8

Anti-Malware and Reputation Settings in Access Policies 13-9

Configuring Anti-Malware and Reputation Settings with Adaptive Scanning Enabled 13-9

Configuring Anti-Malware and Reputation Settings with Adaptive Scanning Disabled 13-10

Configuring Web Reputation Scores 13-12

Contents


Configuring Web Reputation Score Thresholds for Access Policies 13-12

Configuring Web Reputation Filter Settings for Decryption Policy Groups 13-12

Configuring Web Reputation Filter Settings for Data Security Policy Groups 13-12

Maintaining the Database Tables 13-13

The Web Reputation Database 13-13

Logging of Web Reputation Filtering Activity and DVS Scanning 13-13

Logging Adaptive Scanning 13-13

Caching 13-14

Malware Category Descriptions 13-14

C H A P T E R 14 File Reputation Filtering and File Analysis 14-1

Overview of File Reputation Filtering and File Analysis 14-1

File Threat Verdict Updates 14-1

File Processing Overview 14-2

Supported Files for File Reputation and Analysis Services 14-3

Archive or Compressed File Processing 14-4

Privacy of Information Sent to the Cloud 14-4

Configuring File Reputation and Analysis Features 14-5

Requirements for Communication with File Reputation and Analysis Services 14-5

Routing Traffic to File Reputation and File Analysis Servers Through a Data Interface 14-6

Configuring an On-Premises File Analysis Server 14-6

Enabling and Configuring File Reputation and Analysis Services 14-7

(Public Cloud File Analysis Services Only) Configuring Appliance Groups 14-9

Which Appliances Are In the Analysis Group? 14-9

Configuring File Reputation and Analysis Service Action Per Access Policy 14-10

Ensuring That You Receive Alerts About Advanced Malware Protection Issues 14-10

Configuring Centralized Reporting for Advanced Malware Protection Features 14-11

File Reputation and File Analysis Reporting and Tracking 14-11

Identifying Files by SHA-256 Hash 14-11

File Reputation and File Analysis Report Pages 14-12

Viewing File Reputation Filtering Data in Other Reports 14-13

About Web Tracking and Advanced Malware Protection Features 14-13

Taking Action When File Threat Verdicts Change 14-13

Troubleshooting File Reputation and Analysis 14-14

Log Files 14-14

Several Alerts About Failure to Connect to File Reputation or File Analysis Servers 14-14

API Key Error (On-Premises File Analysis) 14-15

Files are Not Uploaded As Expected 14-15

File Analysis Details in the Cloud Are Incomplete 14-15

Contents


Alerts about File Types That Can Be Sent for Analysis 14-16

C H A P T E R 15 Managing Access to Web Applications 15-1

Overview of Managing Access to Web Applications 15-1

Enabling the AVC Engine 15-2

AVC Engine Updates and Default Actions 15-2

User Experience When Requests Are Blocked by the AVC Engine 15-3

Policy Application Control Settings 15-3

Range Request Settings 15-3

Rules and Guidelines for Configuring Application Control 15-4

Configuring Application Control Settings in an Access Policy Group 15-5

Controlling Bandwidth 15-5

Configuring Overall Bandwidth Limits 15-6

Configuring User Bandwidth Limits 15-6

Configuring the Default Bandwidth Limit for an Application Type 15-7

Overriding the Default Bandwidth Limit for an Application Type 15-7

Configuring Bandwidth Controls for an Application 15-7

Controlling Instant Messaging Traffic 15-8

Viewing AVC Activity 15-8

AVC Information in Access Log File 15-9

C H A P T E R 16 Prevent Loss of Sensitive Data 16-1

Overview of Prevent Loss of Sensitive Data 16-1

Bypassing Upload Requests Below a Minimum Size 16-2

User Experience When Requests Are Blocked As Sensitive Data 16-2

Managing Upload Requests 16-2

Managing Upload Requests on an External DLP System 16-3

Evaluating Data Security and External DLP Policy Group Membership 16-4

Matching Client Requests to Data Security and External DLP Policy Groups 16-4

Creating Data Security and External DLP Policies 16-5

Managing Settings for Upload Requests 16-7

URL Categories 16-7

Web Reputation 16-8

Content Blocking 16-8

Defining External DLP Systems 16-8

Configuring External DLP Servers 16-9

Controlling Upload Requests Using External DLP Policies 16-11

Logging of Data Loss Prevention Scanning 16-11

Contents


C H A P T E R 17 Notify End-Users of Proxy Actions 17-1

End-User Notifications Overview 17-1

Configuring General Settings for Notification Pages 17-2

End-User Acknowledgment Page 17-2

Access HTTPS and FTP Sites with the End-User Acknowledgment Page 17-3

About the End-user Acknowledgment Page 17-3

Configuring the End-User Acknowledgment Page 17-3

End-User Notification Pages 17-5

Configuring On-Box End-User Notification Pages 17-6

Off-Box End-User Notification Pages 17-7

Displaying the Correct Off-Box Page Based on the Reason for Blocking Access 17-7

URL Criteria for Off-Box Notification Pages 17-7

Off-Box End-User Notification Page Parameters 17-7

Redirecting End-User Notification Pages to a Custom URL (Off-Box) 17-8

Configuring the End-User URL Filtering Warning Page 17-9

Configuring FTP Notification Messages 17-9

Custom Messages on Notification Pages 17-10

Supported HTML Tags in Custom Messages on Notification Pages 17-10

Caveats for URLs and Logos in Notification Pages 17-11

Editing Notification Page HTML Files Directly 17-12

Requirements for Editing Notification HTML Files Directly 17-12

Editing Notification HTML Files Directly 17-12

Using Variables in Notification HTML Files 17-13

Variables for Customizing Notification HTML Files 17-13

Notification Page Types 17-15

C H A P T E R 18 Generate Reports to Monitor End-user Activity 18-1

Overview of Reporting 18-1

Working with Usernames in Reports 18-1

Report Pages 18-2

Using the Reporting Pages 18-2

Changing the Time Range 18-3

Searching Data 18-3

Choosing Which Data to Chart 18-4

Custom Reports 18-4

Modules That Cannot Be Added to Custom Reports 18-4

Creating Your Custom Report Page 18-5

Subdomains vs. Second-level Domains in Reporting and Tracking 18-5

Contents


Printing and Exporting Reports from Report Pages 18-5

Exporting Report Data 18-6

Enabling Centralized Reporting 18-6

Scheduling Reports 18-7

Adding a Scheduled Report 18-7

Editing Scheduled Reports 18-8

Deleting Scheduled Reports 18-8

Generating Reports On Demand 18-8

Archived Reports 18-9

C H A P T E R 19 Web Security Appliance Reports 19-1

Overview Page 19-2

Users Page 19-3

User Details Page 19-3

Web Sites Page 19-4

URL Categories Page 19-4

URL Category Set Updates and Reports 19-5

Application Visibility Page 19-5

Anti-Malware Page 19-6

Malware Category Report Page 19-6

Malware Threat Report Page 19-6

Advanced Malware Protection Page 19-6

File Analysis Page 19-6

AMP Verdict Updates Page 19-6

Client Malware Risk Page 19-7

Client Detail Page for Web Proxy - Clients by Malware Risk 19-7

Web Reputation Filters Page 19-7

L4 Traffic Monitor Page 19-8

SOCKS Proxy Page 19-8

Reports by User Location Page 19-9

Web Tracking Page 19-9

Searching for Transactions Processed by the Web Proxy 19-10

Searching for Transactions Processed by the L4 Traffic Monitor 19-12

Searching for Transactions Processed by the SOCKS Proxy 19-12

System Capacity Page 19-13

System Status Page 19-13

Contents


C H A P T E R 20 Detecting Rogue Traffic on Non-Standard Ports 20-1

Overview of Detecting Rogue Traffic 20-1

Configuring the L4 Traffic Monitor 20-1

List of Known Sites 20-2

Configuring L4 Traffic Monitor Global Settings 20-2

Updating L4 Traffic Monitor Anti-Malware Rules 20-2

Creating a Policy to Detect Rogue Traffic 20-3

Valid Formats 20-4

Viewing L4 Traffic Monitor Activity 20-4

Monitoring Activity and Viewing Summary Statistics 20-4

L4 Traffic Monitor Log File Entries 20-5

C H A P T E R 21 Monitor System Activity Through Logs 21-1

Overview of Logging 21-1

Common Tasks for Logging 21-2

Best Practices for Logging 21-2

Troubleshooting Web Proxy Issues Using Logs 21-2

Log File Types 21-3

Adding and Editing Log Subscriptions 21-7

Pushing Log Files to Another Server 21-11

Archiving Log Files 21-11

Log File Names and Appliance Directory Structure 21-12

Reading and Interpreting Log Files 21-12

Viewing Log Files 21-13

Web Proxy Information in Access Log Files 21-13

Transaction Result Codes 21-16

ACL Decision Tags 21-16

Interpreting Access Log Scanning Verdict Entries 21-20

W3C Compliant Access Log Files 21-24

W3C Field Types 21-24

Interpreting W3C Access Logs 21-24

W3C Log File Headers 21-25

W3C Field Prefixes 21-25

Customizing Access Logs 21-26

Access Log User Defined Fields 21-26

Customizing Regular Access Logs 21-27

Customizing W3C Access Logs 21-27

Contents


Configuring CTA-specific Custom W3C Logs 21-28

Traffic Monitor Log Files 21-29

Interpreting Traffic Monitor Logs 21-29

Log File Fields and Tags 21-30

Access Log Format Specifiers and W3C Log File Fields 21-30

Malware Scanning Verdict Values 21-40

Troubleshooting Logging 21-41

C H A P T E R 22 Perform System Administration Tasks 22-1

Overview of System Administration 22-1

Saving, Loading, and Resetting the Appliance Configuration 22-2

Viewing and Printing the Appliance Configuration 22-2

Saving the Appliance Configuration File 22-2

Loading the Appliance Configuration File 22-3

Resetting the Appliance Configuration to Factory Defaults 22-3

Working with Feature Keys 22-3

Displaying and Updating Feature Keys 22-4

Changing Feature Key Update Settings 22-4

Virtual Appliance License 22-4

Installing a Virtual Appliance License 22-5

Enabling Remote Power Cycling 22-5

Administering User Accounts 22-6

Managing Local User Accounts 22-6

Adding Local User Accounts 22-7

Deleting User Accounts 22-8

Editing User Accounts 22-8

Changing Passphrases 22-8

RADIUS User Authentication 22-8

Sequence of Events For Radius Authentication 22-8

Enabling External Authentication Using RADIUS 22-9

Defining User Preferences 22-10

Configuring Administrator Settings 22-11

Setting Passphrase Requirements for Administrative Users 22-11

Additional Security Settings for Accessing the Appliance 22-12

Resetting the Administrator Passphrase 22-13

Configuring the Return Address for Generated Messages 22-14

Managing Alerts 22-14

Alert Classifications and Severities 22-14

Contents


Managing Alert Recipients 22-15

Adding and Editing Alert Recipients 22-15

Deleting Alert Recipients 22-15

Configuring Alert Settings 22-15

Alert Listing 22-16

Feature Key Alerts 22-17

Hardware Alerts 22-17

Logging Alerts 22-17

Reporting Alerts 22-18

System Alerts 22-20

Updater Alerts 22-21

Anti-Malware Alerts 22-21

FIPS Compliance 22-21

FIPS Certificate Requirements 22-22

Enabling or Disabling FIPS Mode 22-22

System Date and Time Management 22-22

Setting the Time Zone 22-23

Synchronizing the System Clock with an NTP Server 22-23

SSL Configuration 22-23

Certificate Management 22-25

About Certificates and Keys 22-25

Managing Trusted Root Certificates 22-25

Certificate Updates 22-26

Viewing Blocked Certificates 22-26

Uploading or Generating a Certificate and Key 22-26

Uploading a Certificate and Key 22-26

Generating a Certificate and Key 22-27

Certificate Signing Requests 22-27

Intermediate Certificates 22-28

AsyncOS for Web Upgrades and Updates 22-28

Best Practices For Upgrading AsyncOS for Web 22-28

Upgrading and Updating AsyncOS and Security Service Components 22-28

Upgrading AsyncOS for Web 22-28

Automatic and Manual Update and Upgrade Queries 22-29

Manually Updating Security Service Components 22-29

Local And Remote Update Servers 22-30

Updating and Upgrading from the Cisco Update Servers 22-30

Upgrading from a Local Server 22-31

Differences Between Local and Remote Upgrading Methods 22-32

Contents


Configuring Upgrade and Service Update Settings 22-32

Reverting to a Previous Version of AsyncOS for Web 22-33

Reverting AsyncOS on Virtual Appliances Impacts the License 22-34

Configuration File Use in the Revert Process 22-34

Reverting AsyncOS for an Appliance Managed by the SMA 22-34

Reverting AsyncOS for Web to a Previous Version 22-34

Monitoring System Health and Status Using SNMP 22-35

MIB Files 22-36

Enabling and Configuring SNMP Monitoring 22-36

Hardware Objects 22-36

SNMP Traps 22-37

About the connectivityFailure SNMP Trap 22-37

CLI Example: snmpconfig 22-37

A P P E N D I X A Troubleshooting A-1

General Troubleshooting Best Practices A-1

A-2

Authentication Problems A-2

Troubleshooting Tools for Authentication Issues A-2

Failed Authentication Impacts Normal Operations A-2

LDAP Problems A-3

LDAP User Fails Authentication due to NTLMSSP A-3

LDAP Authentication Fails due to LDAP Referral A-3

Basic Authentication Problems A-3

Basic Authentication Fails A-3

Single Sign-On Problems A-4

Users Erroneously Prompted for Credentials A-4

Browser Problems A-4

WPAD Not Working With Firefox A-4

DNS Problems A-4

Alert: Failed to Bootstrap the DNS Cache A-5

Feature Keys Expired A-5

Failover Problems A-5

Failover Misconfiguration A-5

Failover Issues on Virtual Appliances A-5

FTP Problems A-6

URL Categories Do Not Block Some FTP Sites A-6

Large FTP Transfers Disconnect A-6

Contents


Zero Byte File Appears On FTP Servers After File Upload A-6

Chrome Browser Not Detected As User Agent in FTP-over-HTTP Requests A-6

Upload/Download Speed Issues A-6

Hardware Issues A-7

Cycling Appliance Power A-8

Appliance Health and Status Indicators A-8

Alert: Battery Relearn Timed Out (RAID Event) on 380 or 680 Hardware A-8

HTTPS/Decryption/Certificate Problems A-8

Accessing HTTPS Sites Using Routing Policies with URL Category Criteria A-8

HTTPS Request Failures A-9

HTTPS with IP-based Surrogates and Transparent Requests A-9

Different Client “Hello” Behavior for Custom and Default Categories A-9

Bypassing Decryption for Particular Websites A-9

Conditions and Restrictions for Exceptions to Blocking for Embedded and Referred Content A-10

Alert: Problem with Security Certificate A-10

Identity Services Engine Problems A-10

Tools for Troubleshooting ISE Issues A-10

ISE Server Connection Issues A-11

Certificate Issues A-11

Network Issues A-12

Other ISE Server Connectivity Issues A-12

ISE-related Critical Log Messages A-12

Logging Problems A-13

Custom URL Categories Not Appearing in Access Log Entries A-13

Logging HTTPS Transactions A-13

Alert: Unable to Maintain the Rate of Data Being Generated A-14

Problem Using Third-Party Log-Analyzer Tool with W3C Access Logs A-14

Policy Problems A-14

Access Policy not Configurable for HTTPS A-15

Blocked Object Problems A-15

Some Microsoft Office Files Not Blocked A-15

Blocking DOS Executable Object Types Blocks Updates for Windows OneCare A-15

Identification Profile Disappeared from Policy A-15

Policy Match Failures A-15

Policy is Never Applied A-16

HTTPS and FTP over HTTP Requests Match only Access Policies that Do Not Require Authentication A-16

User Matches Global Policy for HTTPS and FTP over HTTP Requests A-16

User Assigned Incorrect Access Policy A-16

Contents


Policy Troubleshooting Tool: Policy Trace A-17

About the Policy Trace Tool A-17

Tracing Client Requests A-17

Advanced: Request Details A-18

Advanced: Response Detail Overrides A-19

Problems with File Reputation and File Analysis A-20

Reboot Issues A-20

Virtual Appliance Running on KVM Hangs on Reboot A-20

Hardware Appliances: Remotely Resetting Appliance Power A-20

Site Access Problems A-21

Cannot Access URLs that Do Not Support Authentication A-21

Cannot Access Sites With POST Requests A-21

Upstream Proxy Problems A-22

Upstream Proxy Does Not Receive Basic Credentials A-22

Client Requests Fail Upstream Proxy A-22

Unable to Route FTP Requests Via an Upstream Proxy A-22

Virtual Appliances A-22

Do Not Use Force Reset, Power Off, or Reset Options During AsyncOS Startup A-23

Network Connectivity on KVM Deployments Works Initially, Then Fails A-23

Slow Performance, Watchdog Issues, and High CPU Usage on KVM Deployments A-23

General Troubleshooting for Virtual Appliances Running on Linux Hosts A-23

WCCP Problems A-23

Maximum Port Entries A-23

Packet Capture A-24

Starting a Packet Capture A-24

Managing Packet Capture Files A-25

Downloading or Deleting Packet Capture Files A-25

Working With Support A-25

Gathering Information for Efficient Service A-25

Opening a Technical Support Request A-25

Getting Support for Virtual Appliances A-26

Enabling Remote Access to the Appliance A-27

A P P E N D I X B Command Line Interface B-1

Overview of the Command Line Interface B-1

Accessing the Command Line Interface B-1

First Access B-1

Subsequent Access B-2

Contents


Working with the Command Prompt B-2

Command Syntax B-2

Select Lists B-3

Yes/No Queries B-3

Subcommands B-3

Escaping Subcommands B-4

Command History B-4

Completing Commands B-4

Committing Configuration Changes Using the CLI B-4

General Purpose CLI Commands B-4

CLI Example: Committing Configuration Changes B-5

CLI Example: Clearing Configuration Changes B-5

CLI Example: Exiting the Command Line Interface Session B-5

CLI Example: Seeking Help on the Command Line Interface B-5

Web Security Appliance CLI Commands B-6

A P P E N D I X C Additional Resources C-1

Cisco Notification Service C-1

Documentation Set C-2

Training C-2

Knowledge Base Articles (TechNotes) C-2

Cisco Support Community C-2

Customer Support C-2

Registering for a Cisco Account to Access Resources C-3

Third Party Contributors C-3

Cisco Welcomes Your Comments C-3

A P P E N D I X D End User License Agreement D-1

Cisco Systems End User License Agreement D-1

Supplemental End User License Agreement for Cisco Systems Content Security Software D-8

C H A P T E R

1-1AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide

1Introduction to the Product and the Release

• Introduction to the Web Security Appliance, page 1-1

• What’s New, page 1-1

• Using the Appliance Web Interface, page 1-2

• The Cisco SensorBase Network, page 1-4

Introduction to the Web Security ApplianceThe Cisco Web Security Appliance intercepts and monitors Internet traffic and applies policies to help keep your internal network secure from malware, sensitive data loss, productivity loss, and other Internet-based threats.

What’s New

What’s New in Cisco AsyncOS 9.0.1• What’s New in Cisco AsyncOS 9.0.1-162 (GD), page 1-1

• What’s New in Cisco AsyncOS 9.0.1-161 (GD - for physical appliances only), page 1-2

• What’s New in Cisco AsyncOS 9.0.1-135 (ED), page 1-2

What’s New in Cisco AsyncOS 9.0.1-162 (GD)

On physical WSA appliances, builds 161 and 162 are identical. A last-minute issue (CSCux56040) was found with build 161 when installed on virtual WSA appliances. The issue is corrected in build 162.

http://tools.cisco.com/bugsearch/bug/CSCux56040


Chapter 1 Introduction to the Product and the Release Using the Appliance Web Interface

What’s New in Cisco AsyncOS 9.0.1-161 (GD - for physical appliances only)

This build can be installed only on physical appliances; see the explanation in the previous section, What’s New in Cisco AsyncOS 9.0.1-162 (GD).

What’s New in Cisco AsyncOS 9.0.1-135 (ED)

This is a maintenance release; no new features were added.

Related Topics• Product release notes:

http://www.cisco.com/en/US/partner/products/ps10164/prod_release_notes_list.html

Using the Appliance Web Interface• Web Interface Browser Requirements, page 1-3

• Enabling Access to the Web Interface on Virtual Appliances, page 1-3

• Accessing the Appliance Web Interface, page 1-3

• Committing Changes in the Web Interface, page 1-4

• Clearing Changes in the Web Interface, page 1-4

Feature Description

Identity Services Engine (ISE) versions

All versions of ISE up to 2.0 are supported.

Maximum HTTP Header Size

You can use the CLI command maxhttpheadersize to change the maximum HTTP header size for proxy requests. Increasing this value can alleviate Policy Trace failures that can occur when the specified user belongs to a large number of authentication groups, or when the response header is larger than the current maximum header size.

Note This command was actually introduced in AsyncOS 9.0.

Feature Description

Identity Services Engine (ISE) versions

All versions of ISE up to 2.0 are supported.

Maximum HTTP Header Size

You can use the CLI command maxhttpheadersize to change the maximum HTTP header size for proxy requests. Increasing this value can alleviate Policy Trace failures that can occur when the specified user belongs to a large number of authentication groups, or when the response header is larger than the current maximum header size.

Note This command was actually introduced in AsyncOS 9.0.




Chapter 1 Introduction to the Product and the Release Using the Appliance Web Interface

Web Interface Browser RequirementsTo access the web interface, your browser must support and be enabled to accept JavaScript and cookies. It must be able to render HTML pages containing Cascading Style Sheets (CSS).

The Cisco Web Security Appliance follows the Target Environments set by YUI: http://yuilibrary.com/yui/environments/

Your session automatically times out after 30 minutes of inactivity.

Some buttons and links in the web interface cause additional windows to open. Therefore, you may need to configure the browser’s pop-up blocking settings in order to use the web interface.

Note Only use one browser window or tab at a time to edit the appliance configuration. Also, do not edit the appliance using the web interface and the CLI at the same time. Editing the appliance from multiple places concurrently results in unexpected behavior and is not supported.

Enabling Access to the Web Interface on Virtual Appliances By default, the HTTP and HTTPS interfaces are not enabled on virtual appliances. To enable these protocols, you must use the command-line interface.

Step 1 Access the command-line interface. See Accessing the Command Line Interface, page B-1.

Step 2 Run the interfaceconfig command.

Pressing Enter at a prompt accepts the default value.

Look for the prompts for HTTP and HTTPS and enable the protocol(s) that you will use.

Accessing the Appliance Web Interface

Before You Begin

If you are using a virtual appliance, see Enabling Access to the Web Interface on Virtual Appliances, page 1-3.

Step 1 Open a browser and enter the IP address (or hostname) of the Web Security appliance. If the appliance has not been previously configured, use the default settings:

https://192.168.42.42:8443

-or-

http://192.168.42.42:8080

where 192.168.42.42 is the default IP address, and 8080 is the default admin port setting for HTTP, and 8443 is default admin port for HTTPS.

Otherwise, if the appliance is currently configured, use the IP address (or host name) of the M1 port.


Chapter 1 Introduction to the Product and the Release The Cisco SensorBase Network

Note You must use a port number when connecting to the appliance (by default, port 8080). Failing to specify a port number when accessing the web interface results in a default port 80, Proxy Unlicensed error page.

Step 2 When the appliance login screen appears, enter your user name and passphrase to access the appliance.

By default, the appliance ships with the following user name and passphrase:

• User name: admin

• Passphrase: ironport

If this is the first time you have logged in with the default admin user name, you will be prompted to immediately change the passphrase.

Step 3 To view a listing of recent appliance access attempts, both successes and failures, for your user name, click the recent-activity icon (i or ! for success or failure respectively) in front of the “Logged in as” entry in the upper right corner of the application window.

Committing Changes in the Web Interface

Note You can make multiple configuration changes before you commit all of them.

Step 1 Click the Commit Changes button.

Step 2 Enter comments in the Comment field if you choose.

Step 3 Click Commit Changes.

Clearing Changes in the Web Interface

Step 1 Click the Commit Changes button.

Step 2 Click Abandon Changes.

The Cisco SensorBase NetworkThe Cisco SensorBase Network is a threat management database that tracks millions of domains around the world and maintains a global watch list for Internet traffic. SensorBase provides Cisco with an assessment of reliability for known Internet domains. The Web Security appliance uses the SensorBase data feeds to improve the accuracy of Web Reputation Scores.



SensorBase Benefits and PrivacyParticipating in the Cisco SensorBase Network means that Cisco collects data and shares that information with the SensorBase threat management database. This data includes information about request attributes and how the appliance handles requests.

Cisco recognizes the importance of maintaining your privacy, and does not collect or use personal or confidential information such as usernames and passphrases. Additionally, the file names and URL attributes that follow the hostname are obfuscated to ensure confidentiality. When it comes to decrypted HTTPS transactions, the SensorBase Network only receives the IP address, web reputation score, and URL category of the server name in the certificate.

If you agree to participate in the SensorBase Network, data sent from your appliance is transferred securely using HTTPS. Sharing data improves Cisco’s ability to react to web-based threats and protect your corporate environment from malicious activity.



Enabling Participation in The Cisco SensorBase Network

Note Standard SensorBase Network Participation is enabled by default during system setup.

Step 1 Choose to the Security Services > SensorBase.

Step 2 Verify that SensorBase Network Participation is enabled.

When it is disabled, none of the data that the appliance collects is sent back to the SensorBase Network servers.

Step 3 In the Participation Level section, choose one of the following levels:

• Limited. Basic participation summarizes server name information and sends MD5-hashed path segments to the SensorBase Network servers.

• Standard. Enhanced participation sends the entire URL with unobfuscated path segments to the SensorBase Network servers. This option assists in providing a more robust database, and continually improves the integrity of Web Reputation Scores.

Step 4 In the AnyConnect Network Participation field, choose whether or not to include information collected from clients that connect to the Web Security appliance using Cisco AnyConnect Client.

AnyConnect Clients send their web traffic to the appliance using the Secure Mobility feature.

Step 5 In the Excluded Domains and IP Addresses field, optionally enter any domains or IP addresses to exclude from traffic sent to the SensorBase servers.

Step 6 Submit and commit your changes.

C H A P T E R


2Connect, Install, and Configure

• Overview of Connect, Install, and Configure, page 2-1

• Deploying a Virtual Appliance, page 2-2

• Comparison of Modes of Operation, page 2-2

• Task Overview for Connecting, Installing, and Configuring, page 2-6

• Connecting the Appliance, page 2-6

• Gathering Setup Information, page 2-8

• System Setup Wizard, page 2-10

• Upstream Proxies, page 2-16

• Network Interfaces, page 2-17

• Configuring Failover Groups for High Availability, page 2-20

• Using the P2 Data Interface for Web Proxy Data, page 2-21

• Redirect Hostname and System Hostname, page 2-30

• DNS Settings, page 2-32

• Troubleshooting Connect, Install, and Configure, page 2-34

Overview of Connect, Install, and ConfigureThe Web Security appliance provides three modes of operation: Standard, Cloud Web Security Connector, and Hybrid Web Security.

The Standard mode of Web Security appliance operation includes on-site Web proxy services, which is not available in Cloud Web Security Connector mode, and Layer-4 traffic monitoring, which is not available in either Hybrid Web Security or Cloud Web Security Connector modes.

In Cloud Web Security Connector mode, the appliance connects to and routes traffic to a Cisco Cloud Web Security (CWS) proxy, where Web security policies are enforced.

Hybrid Web Security mode provides unified cloud and on-premise policy enforcement and threat defense, using policies defined in Cisco ScanCenter—the administrative portal to Cloud Web Security—which are automatically downloaded to the Web Security appliance.

The appliance has multiple network ports, with each assigned to manage one or more specific data types.


Chapter 2 Connect, Install, and Configure Deploying a Virtual Appliance

The appliance uses network routes, DNS, VLANs, and other settings and services to manage network connectivity and traffic interception. The System Setup Wizard lets you set up basic services and settings, while the appliance’s Web interface lets you modify settings and configure additional options.

Deploying a Virtual Appliance To deploy a virtual web security appliance, see the Cisco Content Security Virtual Appliance Installation Guide, available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.

Migrating from a Physical to a Virtual Appliance To migrate your deployment from a physical appliance to a virtual appliance, see the virtual appliance installation guide referenced in the previous topic and the Release Notes for your AsyncOS version.

Comparison of Modes of OperationThe Standard mode of Web Security Appliance operation includes on-site Web proxy services, which is not available in Cloud Web Security Connector mode, and Layer-4 traffic monitoring, which is not available in either Hybrid Web Security or Cloud Web Security Connector modes.

In Cloud Web Security Connector mode, the appliance connects to and routes traffic to a Cisco Cloud Web Security proxy, where Web security policies are enforced.

Hybrid Web Security mode provides both cloud and on-premise policy enforcement and threat defense by incorporating connection to a Cisco Cloud Web Security proxy.

The following table presents the various menu commands available in each mode, thereby indicating the various features available in each mode.

http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html



Chapter 2 Connect, Install, and Configure Comparison of Modes of Operation

MenuAvailable in Standard Mode

Available in Cloud Connector Mode

Available in Hybrid Web Security Mode

Reporting System Status

Overview

Users

Web Sites

URL Categories

Application Visibility

Anti-Malware

Advanced Malware Protection

File Analysis

AMP Verdict Updates

Client Malware Risk

Web Reputation Filters

Layer-4 Traffic Monitor

Reports by User Location

Web Tracking

System Capacity

System Status

Scheduled Reports

Archived Reports

System Status System Capacity

System Status



Web Security Manager

Identification Profiles

Cloud Routing Policies

SaaS Policies

Decryption Policies

Routing Policies

Access Policies

Overall Bandwidth Limits

Cisco Data Security

Outbound Malware Scanning

External Data Loss Prevention

SOCKS Policies

Custom URL Categories

Define Time Ranges and Quotas

Bypass Settings



Cloud Routing Policies


Custom URL Categories


Bypass Settings

Security Services Web Proxy

FTP Proxy

HTTPS Proxy

SOCKS Proxy

PAC File Hosting

Acceptable Use Controls

Anti-Malware and Reputation

Data Transfer Filters

AnyConnect Secure Mobility

End-User Notification

L4 Traffic Monitor

SensorBase

Reporting

Web Proxy Web Proxy

HTTPS Proxy


End-User Notification

SensorBase






Network Interfaces

Transparent Redirection

Routes

DNS

High Availability

Internal SMTP Relay

Upstream Proxy

External DLP Servers

Certificate Management

Authentication

Identity Provider for SaaS

Identity Services Engine

Interfaces


Routes

DNS

High Availability

Internal SMTP Relay

External DLP Servers


Authentication

Machine ID Service

Cloud Connector

Interfaces


Routes

DNS

High Availability

Internal SMTP Relay


Authentication

System Administration

Policy Trace

Alerts

Log Subscriptions

Return Addresses

SSL Configuration

Users

Network Access

Time Zone

Time Settings

Configuration Summary

Configuration File

Feature Keys Settings

Feature Keys

Upgrade and Update Settings

System Upgrade

System Setup Wizard

FIPS Mode

Next Steps

Alerts

Log Subscriptions

SSL Configuration

Users

Network Access

Time Zone

Time Settings


Configuration File

Feature Keys


System Upgrade

System Setup Wizard

Alerts

Log Subscriptions

SSL Configuration

Users

Network Access

Time Zone

Time Settings


Configuration File

Feature Key Settings

Feature Keys


System Setup Wizard

Next Steps





Chapter 2 Connect, Install, and Configure Task Overview for Connecting, Installing, and Configuring

Task Overview for Connecting, Installing, and Configuring

Connecting the ApplianceBefore You Begin

• To mount the appliance, cable the appliance for management, and connect the appliance to power, follow the instructions in the hardware guide for your appliance. For the location of this document for your model, see Documentation Set, page C-2.

• If you plan to physically connect the appliance to a WCCP v2 router for transparent redirection, first verify that the WCCP router supports Layer 2 redirection.

• Be aware of Cisco configuration recommendations:

– Use simplex cabling (separate cables for incoming and outgoing traffic) if possible for enhanced performance and security.

Step 1 Connect the Management interface if you have not already done so:

Step 2 (Optional) Connect the appliance to data traffic either directly or through a transparent redirection device:

Task More Information

1. Connect the appliance to Internet traffic. Connecting the Appliance, page 2-6

2. Gather and record set-up information. Gathering Setup Information, page 2-8

3. Run the System Setup Wizard. System Setup Wizard, page 2-10

4. Configure HTTPS proxy settings, Authentication Realms and Identification Profiles.

Enabling the HTTPS Proxy, page 11-4

Authentication Realms, page 5-10

Identification Profiles and Authentication, page 6-8

5. (Optional) Connect upstream proxies. Upstream Proxies, page 2-16

Ethernet Port Notes

M1 Connect M1 to where it can:

• Send and receive Management traffic.

• (Optional) Send and receive web proxy data traffic.

You can connect a laptop directly to M1 to administer the appliance.

To connect to the management interface using a hostname (http://hostname:8080), add the appliance hostname and IP address to your DNS server database.

P1 and P2 (optional) • Available for outbound management services traffic but not administration.

• Enable Use M1 port for management only (Network > Interfaces page).

• Set routing for the service to use the Data interface.


Chapter 2 Connect, Install, and Configure Connecting the Appliance

Ethernet Port Explicit Forwarding Transparent Redirection

P1/P2 P1 only:

• Enable Use M1 port for management only.

• Connect P1 and M1 to different subnets.

• Use a duplex cable to connect P1 the internal network and the internet to receive both inbound and outbound traffic.

P1 and P2

• Enable P1.

• Connect M1, P1, and P2 to different subnets.

• Connect P2 to the internet to receive inbound internet traffic.

After running the System Setup Wizard, enable P2.

Device: WCCP v2 router:

• For Layer 2 redirection, physically connect router to P1/P2.

• For Layer 3 redirection, be aware of possible performance issues with Generic Routing Encapsulation.

• Create a WCCP Service on the appliance.

Device: Layer-4 Switch:

• For Layer 2 redirection, physically connect switch to P1/P2.

• For Layer 3 redirection, be aware of possible performance issues with Generic Routing Encapsulation.

Note The appliance does not support inline mode.

M1 (optional) If Use M1 port for management only is disabled, M1 is the default port for data traffic.

N/A


Chapter 2 Connect, Install, and Configure Gathering Setup Information

Step 3 (Optional) To monitor Layer-4 traffic, connect the Appliance to a TAP, switch, or hub after the proxy ports and before any device that performs network address translation (NAT) on client IP addresses:

Step 4 Connect external proxies upstream of the appliance to allow the external proxies to receive data from the appliance.

What to Do Next

• Gathering Setup Information, page 2-8

Related Topics

• Enabling or Changing Network Interfaces, page 2-18

• Using the P2 Data Interface for Web Proxy Data, page 2-21

• Adding and Editing a WCCP Service, page 2-25

• Configuring Transparent Redirection, page 2-24


Gathering Setup InformationYou can use the worksheet below to record the configuration values you will need while running the System Setup Wizard. For additional information about each property, see System Setup Wizard Reference Information, page 2-11.

Ethernet Port Notes

T1/T2 To allow Layer-4 Traffic Monitor blocking, put Layer 4 Traffic Monitor on the same network as the Web Security appliance.

Recommended configuration:

Device: Network TAP:

• Connect T1 to network TAP to receive outbound client traffic.

• Connect T2 to network TAP to receive inbound internet traffic.

Other options:

Device: Network TAP:

• Use duplex cable on T1 to receive inbound and outbound traffic.

Device: Spanned or mirrored port on a switch

• Connect T1 to receive outbound client traffic and connect T2 to receive inbound internet traffic.

• (Less preferred) Connect T1 using a half or full duplex cable to receive both inbound and outbound traffic.

Device: Hub:

• (Least preferred) Connect T1 using a duplex cable to receive both inbound and outbound traffic.

The appliance listens to traffic on all TCP ports on these interfaces.


Chapter 2 Connect, Install, and Configure Gathering Setup Information

System Setup Wizard Worksheet

Property Value Property Value

Appliance Details Routes

Default System Hostname Management Traffic

Local DNS Server(s)

(Required if not using Internet Root Servers)

Default Gateway

DNS Server 1 (Optional) Static Route Table Name

(Optional) DNS Server 2 (Optional) Static Route Table Destination Network

(Optional) DNS Server 3 (Optional) Standard Service Router Addresses

(Optional) Time Settings (Optional) Data Traffic

Network Time Protocol Server

Default Gateway

(Optional) External Proxy Details

Static Route Table Name

Proxy Group Name Static Route Table Destination Network

Proxy Server Address (Optional) WCCP Settings

Proxy Port Number WCCP Router Address

Interface Details WCCP Router Passphrase

Management (M1) Port Administrative Settings

IPv4 Address (required)

IPv6 Address (optional)

Administrator Passphrase

Network Mask Email System Alerts To

Hostname (Optional) SMTP Relay Host

(Optional) Data (P1) Port

IPv4 (optional)

IPv6 Address (optional)

Network Mask

Hostname


Chapter 2 Connect, Install, and Configure System Setup Wizard

System Setup WizardBefore You Begin:

• Connect the Appliance to networks and devices. See Connecting the Appliance, page 2-6.

• Complete the System Setup Wizard worksheet. See Gathering Setup Information, page 2-8.

• If you are setting up a virtual appliance:

– Use the loadlicense command to load the virtual appliance license. For complete information, see the Cisco Content Security Virtual Appliance Installation Guide, available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.

– Enable the HTTP and/or HTTPS interfaces: In the command-line interface (CLI), run the interfaceconfig command.

• Note that reference information for each configuration item used in the System Setup Wizard is available at System Setup Wizard Reference Information, page 2-11.

Warning Only use the System Setup Wizard the first time you install the appliance, or if you want to completely overwrite the existing configuration. Note that the appliance will be reset to its initial factory defaults even if you cancel the System Setup Wizard before it is complete.

Step 1 Open a browser and enter the IP address of the Web Security appliance. The first time you run the System Setup Wizard, use the default IP address:

https://192.168.42.42:8443

-or-

http://192.168.42.42:8080

where 192.168.42.42 is the default IP address, and 8080 is the default admin port setting for HTTP, and 8443 is default admin port for HTTPS.

Otherwise, if the appliance is currently configured, use the IP address of the M1 port.

Step 2 When the appliance login screen appears, enter the user name and passphrase to access the appliance. By default, the appliance ships with the following user name and passphrase:



Step 3 You must immediately change the passphrase.

Step 4 Choose System Administration > System Setup Wizard.

If the appliance is already configured, you will be warned that you are about to reset the configuration. To continue with the System Setup Wizard, check Reset Network Settings, and then click the Reset Configuration button. The appliance will reset and the browser will refresh to the appliance home screen.

Step 5 Read and accept the terms of the end-user license agreement.

Step 6 Click Begin Setup to continue.

Step 7 Configure all settings using the reference tables provided in the following sections as required. See System Setup Wizard Reference Information, page 2-11.

Step 8 Review the configuration information. If you need to change an option, click Edit for that section.

http://www.cisco.com/c/en/us/td/docs/security/web_security/scancenter/administrator/guide/b_ScanCenter_Administrator_Guide.html





Step 9 Click Install This Configuration.

A Next Steps page should appear once the configuration installed. However, depending on the IP, host name, or DNS settings you configured during setup, you may lose connection to the appliance at this stage. If a “page not found” error is displayed in your browser, change the URL to reflect any new address settings and reload the page. Then continue with any post-setup tasks you wish to perform.

System Setup Wizard Reference Information• Network / System Settings, page 2-11

• Network / Network Interfaces and Wiring, page 2-13

• Network / Routes for Management and Data Traffic, page 2-14

• Network / Transparent Connection Settings, page 2-14

• Network /Administrative Settings, page 2-15

Network / System Settings

Property Description

Default System Hostname

The system hostname is the fully-qualified hostname used to identify the appliance in the following areas:

• the command line interface (CLI)

• system alerts

• end-user notification and acknowledgment pages

• when forming the machine NetBIOS name when the Web Security appliance joins an Active Directory domain

The system hostname does not correspond directly to interface hostnames and is not used by clients to connect to the appliance.

DNS Server(s) • Use the Internet’s Root DNS Servers – You can choose to use the Internet root DNS servers for domain name service lookups when the appliance does not have access to DNS servers on your network.

Note Internet Root DNS servers will not resolve local host names. If you need the appliance to resolve local host names you must use a local DNS server, or add the appropriate static entries to the local DNS using the CLI.

Use these DNS Servers – Provide address(es) for the local DNS server(s) that the appliance can use to resolve host names.

See DNS Settings, page 2-32 for more information about these settings.

NTP Server The Network Time Protocol (NTP) server used to synchronize the system clock with other servers on the network or the Internet.

The default is time.sco.cisco.com.



Network / Network Context

Note When you use the Web Security appliance in a network that contains another proxy server, it is recommended that you place the Web Security appliance downstream from the proxy server, closer to the clients.

Related Topics


Network / Cloud Connector Settings

Time Zone Provide time-zone information for location of the appliance; affects timestamps in message headers and log files.

Appliance Mode of Operation

• Standard – Used for standard on-premise policy enforcement.

• Cloud Web Security Connector – Used primarily to direct traffic to Cisco’s Cloud Web Security service for policy enforcement and threat defense.

• Hybrid Web Security – Used in conjunction with Cisco’s Cloud Web Security service for cloud and on-premise policy enforcement and threat defense.

See Comparison of Modes of Operation, page 2-2 for more information about these modes of operation.



Is there another web proxy on your network?

Is there another proxy on your network, such that

a. traffic must pass through it?

b. it will be upstream of the Web Security appliance?

If yes for both points, select the checkbox. This allows you to create a proxy group for one upstream proxy. You can add more upstream proxies later.

Proxy group name A name used to identify the proxy group on the appliance.

Address The hostname or IP address of the upstream proxy server.

Port The port number of the upstream proxy server.

Setting Description

Cloud Web Security Proxy Servers

The address of the Cloud Proxy Server (CPS), for example, proxy1743.scansafe.net.



Network / Network Interfaces and Wiring

The IP address, network mask, and host name to use to manage the Web Security appliance and, by default, for proxy (data) traffic.

You can use the host name specified here when connecting to the appliance management interface (or in browser proxy settings if M1 is used for proxy data), but you must register it in your organization’s DNS.

Network / Layer 4 Traffic Monitor Wiring

Failure Handling If AsyncOS fails to connect to a Cloud Web Security proxy, either Connect directly to the Internet, or Drop requests.

Cloud Web Security Authorization Scheme

Method for authorizing transactions:

• Web Security Appliance public-facing IPv4 address.

• Authorization key included with each transaction. You can generate an authorization key within the Cisco Cloud Web Security Portal.

Setting Description

Setting Description

Ethernet Port (Optional) Check Use M1 port for management only if you want to use a separate port for data traffic.

If you configure the M1 interface for management traffic only, you must configure the P1 interface for data traffic. You must also define different routes for management and data traffic. However, you can configure the P1 interface even when the M1 interface is used for both management and data traffic.

You can enable and configure the P1 port only in the System Setup Wizard. If you want to enable the P2 interface, you must do this after finishing the System Setup Wizard.

IP Address / Netmask

The IP address and network mask to use when managing the Web Security appliance on this network interface.

Hostname The host name to use when managing the Web Security appliance on this network interface.



The type of wired connections plugged into the “T” interfaces:

• Duplex TAP. The T1 port receives both incoming and outgoing traffic.

• Simplex TAP. The T1 port receives outgoing traffic (from the clients to the Internet) and the T2 port receives incoming traffic (from the Internet to the clients).

Cisco recommends using Simplex when possible because it can increase performance and security.



Network / Routes for Management and Data Traffic

Note If you enable “Use M1 port for management only”, this section will have separate sections for management and data traffic; otherwise one joint section will be shown.

Network / Transparent Connection Settings

Note By default, the Cloud Connector is deployed in transparent mode. which requires a connection to a Layer-4 switch, or a version 2 WCCP router.


Default Gateway The default gateway IP address to use for the traffic through the Management and Data interfaces.

Static Routes Table

Optional static routes for management and data traffic. Multiple routes can be added.

• Name – A name used to identify the static route.

• Internal Network – The IPv4 address for this route’s destination on the network.

• Internal Gateway – The gateway IPv4 address for this route. A route gateway must reside on the same subnet as the Management or Data interface on which it is configured.


Layer-4 Switch or No Device

Specifies that the Web Security appliance is connected to a layer 4 switch for transparent redirection, or that no transparent redirection device is used and clients will explicitly forward requests to the appliance.

WCCP v2 Router Specifies that the Web Security appliance is connected to a version 2 WCCP-capable router.

If you connect the appliance to a version 2 WCCP router, you must create at least one WCCP service. You can enable the standard service on this screen, or after the System Setup Wizard is finished, where you can also create multiple dynamic services.

When you enable the standard service, you can also enable router security and enter a passphrase. The passphrase used here must be used all appliances and WCCP routers within the same service group.

A standard service type (also known as the “web-cache” service) is assigned a fixed ID of zero, a fixed redirection method (by destination port), and a fixed destination port of 80.

A dynamic service type allows you to define a custom ID, port numbers, and redirection and load balancing options.



Network /Administrative Settings

Security / Security Settings


Administrator Passphrase

The passphrase used to access the Web Security appliance for administrative purposes.

Email System Alerts To

The email address to which the appliance sends systems alerts.

Send Email via SMTP Relay Host (optional)

The address and port for an SMTP relay host that AsyncOS can use to send system generated email messages.

If no SMTP relay host is defined, AsyncOS uses the mail servers listed in the MX record.

AutoSupport Specifies whether the appliance sends system alerts and weekly status reports to Cisco Customer Support.

SensorBase Network Participation

Specifies whether to participate in the Cisco SensorBase Network. If you participate, you can configure Limited or Standard (full) participation. Default is Standard.

The SensorBase Network is a threat management database that tracks millions of domains around the world and maintains a global watch list for Internet traffic. When you enable SensorBase Network Participation, the Web Security appliance sends anonymous statistics about HTTP requests to Cisco to increase the value of SensorBase Network data.

Option Description

Global Policy Default Action

Specifies whether to block or monitor all web traffic by default after the System Setup Wizard completes. You can change this behavior later by editing the Protocols and User Agents settings for the Global Access Policy. The default setting is to monitor traffic.

L4 Traffic Monitor Specifies whether the Layer-4 Traffic Monitor should monitor or block suspected malware by default after the System Setup Wizard completes. You can change this behavior later. The default setting is to monitor traffic.

Acceptable Use Controls

Specifies whether or not to enable Acceptable Use Controls.

If enabled, Acceptable Use Controls allow you to configure policies based on URL filtering. They also provide application visibility and control, as well as related options such as safe search enforcement. The default setting is enabled.

Reputation Filtering Specifies whether or not to enable Web Reputation filtering for the Global Policy Group.

Web Reputation Filters is a security feature that analyzes web server behavior and assigns a reputation score to a URL to determine the likelihood that it contains URL-based malware. The default setting is enabled.


Chapter 2 Connect, Install, and Configure Upstream Proxies

Upstream ProxiesThe web proxy can forward web traffic directly to its destination web server or use routing policies to redirect it to an external upstream proxy.

• Upstream Proxies Task Overview, page 2-16

• Creating Proxy Groups for Upstream Proxies, page 2-16

Upstream Proxies Task Overview

Creating Proxy Groups for Upstream Proxies

Step 1 Choose Network > Upstream Proxies.

Step 2 Click Add Group.

Malware and Spyware Scanning

Specifies whether to enable malware and spyware scanning using Webroot, McAfee, or Sophos. The default setting is that all three options are enabled.

If any option is enabled, also choose whether to monitor or block detected malware. The default setting is to monitor malware.

You can further configure malware scanning after you finish the System Setup Wizard.

Cisco Data Security Filtering

Specifies whether or not to enable Cisco Data Security Filters.

If enabled, the Cisco Data Security Filters evaluate data leaving the network and allow you to create Cisco Data Security Policies to block particular types of upload requests. The default setting is enabled.

Option Description

Task More Information

1. Connect the external proxy upstream of the Cisco Web Security Appliance.

Connecting the Appliance, page 2-6.

2. Create and configure a proxy group for the upstream proxy.

Creating Proxy Groups for Upstream Proxies, page 2-16.

3. Create a routing policy for the proxy group to manage which traffic is routed to the upstream proxy.

Create Policies to Control Internet Requests


Chapter 2 Connect, Install, and Configure Network Interfaces

Step 3 Complete the Proxy Group settings.


What to Do Next.

• Creating a Policy, page 10-7

Network Interfaces• IP Address Versions, page 2-18


Name The name used to identify proxy groups on the appliance, such as in routing policies, for example.

Proxy Servers The address, port and reconnection attempts (should a proxy not respond) for the proxy servers in the group. Rows for each proxy server can be added or deleted as required.

Note You can enter the same proxy server multiple times to allow unequal load distribution among the proxies in the proxy group.

Load Balancing The strategy that the web proxy uses to load balance requests between multiple upstream proxies. Choose from:

• None (failover). The Web Proxy directs transactions to one external proxy in the group. It tries to connect to the proxies in the order they are listed. If one proxy cannot be reached, the Web Proxy attempts to connect to the next one in the list.

• Fewest connections. The Web Proxy keeps track of how many active requests are with the different proxies in the group and it directs a transaction to the proxy currently servicing the fewest number of connections.

• Hash based. Least recently used. The Web Proxy directs a transaction to the proxy that least recently received a transaction if all proxies are currently active. This setting is similar to round robin except the Web Proxy also takes into account transactions a proxy has received by being a member in a different proxy group. That is, if a proxy is listed in multiple proxy groups, the “least recently used” option is less likely to overburden that proxy.

• Round robin. The Web Proxy cycles transactions equally among all proxies in the group in the listed order.

Note The Load Balancing option is dimmed until two or more proxies have been defined.

Failure Handling Specifies the default action to take if all proxies in this group fail. Choose from:

• Connect directly. Send the requests directly to their destination servers.

• Drop requests. Discard the requests without forwarding them.




IP Address VersionsIn Standard mode, Cisco Web Security Appliance supports IPv4 and IPv6 addresses in most cases.

Note In Cloud Connector mode, Cisco Web Security Appliance supports IPv4 only.

A DNS server may return a result with both an IPv4 and an IPv6 address. DNS settings include an IP Address Version Preference to configure AsyncOS behavior in these cases.

Related Topics


• DNS Settings, page 2-32

Enabling or Changing Network Interfaces• Add or modify interface IP addresses

• Change the Layer-4 Traffic Monitor wiring type

• Enable split routing of management and data traffic

Step 1 Choose Network > Interfaces.

Step 2 Click Edit Settings.

Interface/Service IPv4 IPv6 Notes

M1 interface Required Optional Use of IPv6 addresses requires an IPv6 routing table that defines the default IPv6 gateway. Depending on the network, you may also need to specify a static IPv6 route in the routing table.

P1 interface Optional Optional If the P1 interface has an IPv6 address configured and the appliance uses split routing (separate management and data routes), then the P1 interface cannot use the IPv6 gateway configured on the Management route. Instead, specify an IPv6 gateway for the Data routing table.

P2 interface Optional Optional —

Data services Supported Supported —

Control and Management Services Supported Partially Supported Images, for example custom logos on end-user notification pages, require IPv4.

AnyConnect Secure Mobility (MUS) Supported Not Supported —



Step 3 Configure the Interface options .


What to Do Next

• If you added an IPv6 address, add an IPv6 routing table.

Related Topics

• Connecting the Appliance, page 2-6.

• IP Address Versions, page 2-18

• Configuring TCP/IP Traffic Routes, page 2-22

Option Description

Interfaces Modify or add new IPv4 or IPv6 Address, Netmask, and Hostname details for the M1, P1, or P2 interfaces as required.

• M1 – AsyncOS requires an IPv4 address for the M1 (Management) port. In addition to the IPv4 address, you can specify an IPv6 address. By default, the Management interface is used to administer the appliance and Web Proxy (data) monitoring. However, you can configure the M1 port for management use only.

• P1 and P2 – Use an IPv4 address, IPv6 address, or both for the Data ports. The Data interfaces are used for Web Proxy monitoring and Layer-4 Traffic Monitor blocking (optional). You can also configure these interfaces to support outbound services such as DNS, software upgrades, NTP, and traceroute data traffic.

Note If the Management and Data interfaces are all configured, each must be assigned IP addresses on different subnets.

Separate Routing for Management Services

Check Restrict M1 port to appliance management services only to limit M1 to management traffic only, requiring use of a separate port for data traffic.

Note When you use M1 for management traffic only, configure at least one data interface, on another subnet, for proxy traffic. Define different routes for management and data traffic.

Appliance Management Services

Enable/disable use of, and specify a default port number for, the following network protocols:

• FTP – Disabled by default.

• SSH

• HTTP

• HTTPS

Also, you can enable/disable redirection of HTTP traffic to HTTPS.


Chapter 2 Connect, Install, and Configure Configuring Failover Groups for High Availability

Configuring Failover Groups for High AvailabilityUsing the Common Address Redundancy Protocol (CARP), the WSA enables multiple hosts on your network to share an IP address, providing IP redundancy to ensure high availability of services provided by those hosts. In CARP there are three states for a host:

• master

• backup

• init

Only one master host can exist for each failover group that can provide services.

Add Failover Group

Before You Begin

• Identify a virtual IP address that will be used exclusively for this failover group. Clients will use this IP address to connect to the failover group in explicit forward proxy mode.

• Configure all Appliances in the failover group with identical values for the following parameters:

– Failover Group ID

– Hostname

– Virtual IP Address

• If you are configuring this feature on a virtual appliance, ensure that the virtual switch and the virtual interfaces specific to each appliance are configured to use promiscuous mode. For more information, see the documentation for your virtual hypervisor.

Step 1 Choose Network > High Availability.

Step 2 Click Add Failover Group.

Step 3 Enter a Failover Group ID in the range 1 to 255.

Step 4 (Optional) Enter a Description.

Step 5 Enter the Hostname, for example www.example.com.

Step 6 Enter the Virtual IP Address and Netmask, for example 10.0.0.3/24 (IPv4) or 2001:420:80:1::5/32 (IPv6).

Step 7 Choose an option from the Interface menu. The Select Interface Automatically option will select the interface based on the IP address you provided.

Note If you do not select the Select Interface Automatically option, you must choose an interface in the same subnet as the virtual IP address you provided.

Step 8 Choose the priority. Click Master to set the priority to 255. Alternatively, select Backup and enter a priority between 1 (lowest) and 254 in the Priority field.

Step 9 (Optional). To enable security for the service, select the Enable Security for Service check box and enter a string of characters that will be used as a shared secret in the Shared Secret and Retype Shared Secret fields.


Chapter 2 Connect, Install, and Configure Using the P2 Data Interface for Web Proxy Data

Note The shared secret, virtual IP, and failover group ID must be the same for all appliances in the failover group.

Step 10 Enter the delay in seconds (1 to 255) between hosts advertising their availability in the Advertisement Interval field.


Related Topics

• Failover Problems, page A-5

Edit High Availability Global Settings

Step 1 Choose Network > High Availability.

Step 2 In the High Availability Global Settings area, click Edit Settings.

Step 3 In the Failover Handling menu, choose an option.

• Preemptive—The highest priority host will assume control when available.

• Non-preemptive—The host in control will remain in control even if a higher priority host becomes available.

Step 4 Click Submit. Alternatively, click Cancel to abandon your changes.

View Status of Failover GroupsChoose Network > High Availability. The Failover Groups area displays the current fail-over group. You can click Refresh Status to update the display. You can also view fail-over details by choosing Network > Interfaces or Report > System Status.

Using the P2 Data Interface for Web Proxy Data By default, the web proxy does not listen for requests on P2, even when enabled. However, you can configure P2 to listen for web proxy data.

Note If you enable P2 to listen for client requests using the advancedproxyconfig > miscellaneous CLI command, you can choose whether to use P1 or P2 for outgoing traffic. To use P1 for outgoing traffic, change the Default Route for data traffic to specify the next IP address that the P1 interface is connected to.

Before You Begin

• Enable P2 (you must also enable P1 if not already enabled) (see Enabling or Changing Network Interfaces, page 2-18).



Step 1 Access the CLI.

Step 2 Use the advancedproxyconfig -> miscellaneous commands to access the required area

example.com> advancedproxyconfig

Choose a parameter group:- AUTHENTICATION - Authentication related parameters- CACHING - Proxy Caching related parameters- DNS - DNS related parameters- EUN - EUN related parameters- NATIVEFTP - Native FTP related parameters- FTPOVERHTTP - FTP Over HTTP related parameters- HTTPS - HTTPS related parameters- SCANNING - Scanning related parameters- PROXYCONN - Proxy connection header related parameters- CUSTOMHEADERS - Manage custom request headers for specific domains- MISCELLANEOUS - Miscellaneous proxy related parameters- SOCKS - SOCKS Proxy parameters

Step 3 []> miscellaneous

Step 4 Press Enter past each question until the question:

Do you want proxy to listen on P2?

Enter ‘y’ for this question.

Step 5 Press Enter past the remaining questions.

Step 6 Commit your changes.

Related Topics


• Configuring TCP/IP Traffic Routes, page 2-22.

Configuring TCP/IP Traffic RoutesRoutes are used for determining where to send (or route) network traffic. The Web Security appliance routes the following kinds of traffic:

• Data traffic. Traffic the Web Proxy processes from end users browsing the web.

• Management traffic. Traffic created by managing the appliance through the web interface and traffic the appliance creates for management services, such as AsyncOS upgrades, component updates, DNS, authentication, and more.

By default, both types of traffic use the routes defined for all configured network interfaces. However, you can choose to split the routing, so that management traffic uses a management routing table and data traffic uses a data routing table. Both types of traffic split are split as follows:



The number of sections on the Network > Routes page is determined by whether or not split routing is enabled:

• Separate route configuration sections for Management and Data traffic (split routing enabled). When you use the Management interface for management traffic only (Restrict M1 port to appliance management services only is enabled), then this page includes two sections to enter routes, one for management traffic and one for data traffic.

• One route configuration section for all traffic (split routing not enabled). When you use the Management interface for both management and data traffic (Restrict M1 port to appliance management services only is disabled), then this page includes one section to enter routes for all traffic that leaves the Web Security appliance, both management and data traffic.

Note A route gateway must reside on the same subnet as the Management or Data interface on which it is configured. If multiple data ports are enabled, the web proxy sends out transactions on the data interface that is on the same network as the default gateway configured for data traffic.

Related Topics

• To enable split routing of management and data traffic, see Enabling or Changing Network Interfaces, page 2-18

Modifying the Default Route

Step 1 Choose Network > Routes.

Step 2 Click on Default Route in the Management or Data table as required (or the combined Management/Data table if split routing is not enabled).

Step 3 In the Gateway column, enter the IP address of the computer system on the next hop of the network connected to the network interface you are editing.


Management Traffic Data Traffic

• WebUI

• SSH

• SNMP

• NTLM authentication (with domain controller)

• ICAP request with external DLP server

• Syslogs

• FTP push

• DNS (configurable)

• Update/Upgrade/Feature Key (configurable)

• HTTP

• HTTPS

• FTP

• WCCP negotiation

• DNS (configurable)

• Update/Upgrade/Feature Key (configurable)



Adding a Route


Step 2 Click the Add Route button corresponding to the interface for which you are creating the route.

Step 3 Enter a Name, Destination Network, and Gateway.


Saving and Loading Routing Tables


To save a route table, click Save Route Table and specify where to save the file.

To load a saved route table, click Load Route Table, navigate to the file, open it, and submit and commit your changes.

Note When the destination address is on the same subnet as one of the physical network interfaces, AsyncOS sends data using the network interface with the same subnet. It does not consult the routing tables.

Deleting a Route


Step 2 Check the checkbox in the Delete column for the appropriate route.

Step 3 Click Delete and confirm.


Related Topics

• Enabling or Changing Network Interfaces, page 2-18.

Configuring Transparent Redirection

Specifying a Transparent Redirection Device

Before You Begin

• Connect the appliance to a Layer-4 switch or a WCCP v2 router.

Step 1 Choose Network > Transparent Redirection.

Step 2 Click Edit Device.



Step 3 Choose the type of device that transparently redirects traffic to the appliance from the Type drop-down list.


Step 5 For WCCP v2 devices, complete these additional steps:

a. Configure the WCCP device using device documentation.

b. Add a WCCP service.

c. If IP spoofing is enabled on the appliance, create a second WCCP service.

Related Topics


• Configuring WCCP Services, page 2-25.

Configuring WCCP Services

A WCCP service is an appliance configuration that defines a service group to a WCCP v2 router. It includes information such as the service ID and ports used. Service groups allow a web proxy to establish connectivity with a WCCP router and to handle redirected traffic from the router.

Note You can configure a maximum of 15 service groups on a single appliance.

Adding and Editing a WCCP Service

Before You Begin

• Configure the appliance to use a WCCP v2 Router (see Specifying a Transparent Redirection Device, page 2-24).

Step 1 Choose Network > Transparent Redirection.

Step 2 Click Add Service, or, to edit a WCCP service, click the name of the WCCP service in the Service Profile Name column.

Step 3 Configure the WCCP options as described:

WCCP Service Option Description

Service Profile Name The name for the WCCP service.

Note If you leave this empty and choose a standard service (see below), the name ‘web_cache’ is automatically assigned here.



Service The service group type for the router. Choose from:

Standard service. This service type is assigned a fixed ID of zero, a fixed redirection method of by destination port, and a fixed destination port of 80. You can create one standard service only. If a standard service already exists on the appliance, this option is dimmed.

Dynamic service. This service type allows you to define a custom ID, port numbers, and redirection and load balancing options. Enter the same parameters when creating the service on the WCCP router as you entered for the dynamic service.

If you create a dynamic service, enter the following information:

• Service ID. You can enter any number from 0 to 255 in the Dynamic Service ID field. However, note that you can configure no more than 15 service groups on this appliance.

• Port number(s). Enter up to eight port numbers for traffic to redirect in the Port Numbers field.

• Redirection basis. Choose to redirect traffic based on the source or destination port. Default is destination port.

Note To configure Native FTP with transparent redirection and IP spoofing, choose Redirect based on source port (return path) and set the source port to 13007.

• Load balancing basis. When the network uses multiple Web Security appliances, you can choose how to distribute packets among the appliances. You can distribute packets based on the server or client address. When you choose client address, packets from a client always get distributed to the same appliance. Default is server address.

Router IP Addresses The IPv4 or IPv6 address for one or more WCCP enabled routers. Use each router’s unique IP; you cannot enter a multicast address. You cannot mix IPv4 and IPv6 addresses within a service group.

Router Security Specifies whether or not to require a passphrase for this service group. If enabled, every appliance and WCCP router that uses the service group must use the same passphrase.





Advanced Load-Balancing Method. This determines how the router performs load balancing of packets among multiple Web Security appliances. Choose from:

• Allow Mask Only. WCCP routers make decisions using hardware in the router. This method can increase router performance over the hash method. Not all WCCP routers support mask assignment, however.

• Allow Hash Only. This method relies on a hash function to make redirection decisions. This method can be less efficient than the mask method, but may be the only option the router supports.

• Allow Hash or Mask. Allows AsyncOS to negotiate a method with the router. If the router supports mask, then AsyncOS uses masking, otherwise hashing is used.

Mask Customization. If you select Allow Mask Only or Allow Hash or Mask, you can customize the mask or specify the number of bits:

• Custom mask (max 5 bits). You can specify the mask. The web interface displays the number of bits associated with the mask you provide.

• System generated mask. You can let the system generate a mask for you. Optionally, you can specify the number of bits for the system-generated mask, up to 5 bits.

Forwarding method. This is the method by which redirected packets are transported from the router to the web proxy.

Return Method. This is the method by which redirected packets are transported from the web proxy to the router.

Both the forwarding and return methods use one of the following method types:

• Layer 2 (L2). This redirects traffic at layer 2 by replacing the packet’s destination MAC address with the MAC address of the target web proxy. The L2 method operates at hardware level and typically offers the best performance. Not all WCCP routers support L2 forwarding, however. In addition, WCCP routers only allow L2 negotiation with a directly (physically) connected Web Security appliance.

• Generic Routing Encapsulation (GRE). This method redirects traffic at layer 3 by encapsulating the IP packet with a GRE header and a redirect header. GRE operates at software level, which can impact performance.

• L2 or GRE. With this option, the appliance uses the method that the router says it supports. If both the router and appliance support L2 and GRE, the appliance uses L2.

If the router is not directly connected to the appliance, you must choose GRE.




Creating WCCP Services for IP Spoofing

Step 1 If you have enabled IP spoofing on the web proxy, create two WCCP services. Create a standard WCCP service, or create a dynamic WCCP service that redirects traffic based on destination ports.

Step 2 Create a dynamic WCCP service that redirects traffic based on source ports.

Use the same port numbers, router IP address, and router security settings as used for the service created in Step 1.

Note Cisco suggests using a service ID number from 90 to 97 for the WCCP service used for the return path (based on the source port).

Related Topics

• Web Proxy Cache, page 4-5.

Increasing Interface Capacity Using VLANsYou can configure one or more VLANs to increase the number of networks the Cisco Web Security Appliance can connect to beyond the number of physical interfaces included.

VLANs appear as dynamic “Data Ports” labeled in the format of: “VLAN DDDD” where the “DDDD” is the ID and is an integer up to 4 digits long (VLAN 2, or VLAN 4094 for example). AsyncOS supports up to 30 VLANs.

A physical port does not need an IP address configured in order to be in a VLAN. The physical port on which a VLAN is created can have an IP that will receive non-VLAN traffic, so you can have both VLAN and non-VLAN traffic on the same interface.

VLANs can only be created on the Management and P1 data ports.

Configuring and Managing VLANs

You can create, edit and delete VLANs via the etherconfig command. Once created, a VLAN can be configured via the interfaceconfig command in the CLI.

Example 1: Creating a New VLAN

In this example, two VLANs are created (named VLAN 31 and VLAN 34) on the P1 port:

Note Do not create VLANs on the T1 or T2 interfaces.


Step 2 Follow the steps shown.

example.com> etherconfigChoose the operation you want to perform:- MEDIA - View and edit ethernet media settings.- VLAN - View and configure VLANs.



- MTU - View and configure MTU.[]> vlan

VLAN interfaces:

Choose the operation you want to perform:- NEW - Create a new VLAN.[]> new

VLAN ID for the interface (Ex: "34"):[]> 34

Enter the name or number of the ethernet interface you wish bind to:1. Management2. P13. T14. T2[1]> 2

VLAN interfaces:1. VLAN 34 (P1)

Choose the operation you want to perform:- NEW - Create a new VLAN.- EDIT - Edit a VLAN.- DELETE - Delete a VLAN.[]> new

VLAN ID for the interface (Ex: "34"):[]> 31

Enter the name or number of the ethernet interface you wish bind to:1. Management2. P13. T14. T2[1]> 2

VLAN interfaces:1. VLAN 31 (P1)2. VLAN 34 (P1)

Choose the operation you want to perform:- NEW - Create a new VLAN.- EDIT - Edit a VLAN.- DELETE - Delete a VLAN.[]>


Example 2: Creating an IP Interface on a VLAN

In this example, a new IP interface is created on the VLAN 34 ethernet interface.

Note Making changes to an interface may close your connection to the appliance.



Chapter 2 Connect, Install, and Configure Redirect Hostname and System Hostname

Step 2 Follow the steps shown:

example.com> interfaceconfig

Currently configured interfaces:1. Management (10.10.1.10/24 on Management: example.com)2. P1 (10.10.0.10 on P1: example.com)

Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- DELETE - Remove an interface.[]> new

IP Address (Ex: 10.10.10.10):[]> 10.10.31.10

Ethernet interface:1. Management2. P13. VLAN 314. VLAN 34[1]> 4

Netmask (Ex: "255.255.255.0" or "0xffffff00"):[255.255.255.0]>

Hostname:[]> v.example.com

Currently configured interfaces:1. Management (10.10.1.10/24 on Management: example.com)2. P1 (10.10.0.10 on P1: example.com)3. VLAN 34 (10.10.31.10 on VLAN 34: v.example.com)

Choose the operation you want to perform:- NEW - Create a new interface.- EDIT - Modify an interface.- DELETE - Remove an interface.[]>

example.com> commit


Related Topics

• Enabling or Changing Network Interfaces, page 2-18.

• Configuring TCP/IP Traffic Routes, page 2-22.

Redirect Hostname and System HostnameAfter running the System Setup Wizard, the System Hostname and the Redirect Hostname are the same. However, changing the system hostname using the sethostname command does not change the redirect hostname. Therefore the settings may have different values.

AsyncOS uses the redirect hostname for end-user notifications and acknowledgments.


Chapter 2 Connect, Install, and Configure Redirect Hostname and System Hostname

The system hostname is the fully-qualified hostname used to identify the appliance in the following areas:

• The command line interface (CLI)

• System alerts

• When forming the machine NetBIOS name when the Web Security appliance joins an Active Directory domain.

The system hostname does not correspond directly to interface hostnames and is not used by clients to connect to the appliance.

Changing the Redirect Hostname

Step 1 In the web user interface, navigate to Network>Authentication.

Step 2 Click Edit Global Settings.

Step 3 Enter a new value for Redirect Hostname.

Changing the System Hostname


Step 2 Use the sethostname command to change the name of the Web Security appliance:

example.com> sethostnameexample.com> hostname.comexample.com> commit...hostname.com>


Configuring SMTP Relay Host SettingsAsyncOS periodically sends system-generated email messages, such as notifications, alerts, and Cisco Customer Support requests. By default, AsyncOS uses information listed in the MX record on your domain to send email. However, if the appliance cannot directly reach the mail servers listed in the MX record, you must configure at least one SMTP relay host on the appliance.

Note If the Web Security appliance cannot communicate with the mail servers listed in the MX record or any of the configured SMTP relay hosts, it cannot send email messages and it writes a message in the log files.

You can configure one or more SMTP relay hosts. When you configure multiple SMTP relay hosts, AsyncOS uses the topmost available SMTP relay host. If an SMTP relay host is unavailable, it tries to use the one below it in the list.


Chapter 2 Connect, Install, and Configure DNS Settings

Configuring an SMTP Relay Host

Step 1 Choose Network > Internal SMTP Relay.


Step 3 Complete the Internal SMTP Relay settings.

Step 4 (Optional) Click Add Row to add additional SMTP relay hosts.


DNS SettingsAsyncOS for Web can use the Internet root DNS servers or your own DNS servers. When using the Internet root servers, you can specify alternate servers to use for specific domains. Since an alternate DNS server applies to a single domain, it must be authoritative (provide definitive DNS records) for that domain.

• Split DNS, page 2-32

• Clearing the DNS Cache, page 2-32

• Editing DNS Settings, page 2-33

Split DNSAsyncOS supports split DNS where internal servers are configured for specific domains and external or root DNS servers are configured for other domains. If you are using your own internal server, you can also specify exception domains and associated DNS servers.

Clearing the DNS Cache

Before You Begin

• Be aware that using this command might cause a temporary performance degradation while the cache is repopulated.

Step 1 Choose Network > DNS.


Relay Hostname or IP Address

The hostname or IP address to use for the SMTP relay

Port The port for connecting to the SMTP relay. If this property is left empty, the appliance uses port 25.

Routing Table to Use for SMTP

The routing table associated with an appliance network interface, either Management or Data, to use for connecting to the SMTP relay. Choose whichever interface is on the same network as the relay system.


Chapter 2 Connect, Install, and Configure DNS Settings

Step 2 Click Clear DNS Cache.

Editing DNS Settings

Step 1 Choose Network > DNS


Step 3 Configure the DNS settings as required.


Related Topics


• IP Address Versions, page 2-18


DNS Server(s) Use these DNS Servers. The local DNS server(s) that the appliance can use to resolve hostnames.

Use the Internet’s Root DNS Servers. You can choose to use the Internet root DNS servers for domain name service lookups when the appliance does not have access to DNS servers on your network.

Note Internet Root DNS servers will not resolve local hostnames. If you need the appliance to resolve local hostnames you must use a local DNS server or add the appropriate static entries to the local DNS using the Command Line Interface.

Alternate DNS servers Overrides (Optional). Authoritative DNS servers for particular domains

Routing Table for DNS Traffic

Specifies which interface the DNS service will route traffic through.

IP Address Version Preference

When a DNS server provides both an IPv4 and an IPv6 address, AsyncOS uses this preference to choose the IP address version.

Note AsyncOS does not honor the version preference for transparent FTP requests.

Wait Before Timing out Reverse DNS Lookups

The wait time in seconds before timing out non-responsive reverse DNS lookups.

Domain Search List A DNS domain search list used when a request is sent to a bare hostname (with no '.' character). The domains specified will each be attempted in turn, in the order entered, to see if a DNS match for the hostname plus domain can be found.


Chapter 2 Connect, Install, and Configure Troubleshooting Connect, Install, and Configure

Troubleshooting Connect, Install, and Configure• Failover Problems, page A-5

• Upstream Proxy Does Not Receive Basic Credentials, page A-22

• Client Requests Fail Upstream Proxy, page A-22

• Maximum Port Entries, page A-23

C H A P T E R


3Connect the Appliance to a Cisco Cloud Web Security Proxy

• How to Configure and Use Features in Cloud Connector Mode, page 3-1

• Deployment in Cloud Connector Mode, page 3-2

• Configuring the Cloud Connector, page 3-2

• Controlling Web Access Using Directory Groups in the Cloud, page 3-5

• Bypassing the Cloud Proxy Server, page 3-5

• Partial Support for FTP and HTTPS in Cloud Connector Mode, page 3-5

• Preventing Loss of Secure Data, page 3-6

• Viewing Group and User Names and IP Addresses, page 3-6

• Subscribing to Cloud Connector Logs, page 3-6

• Identification Profiles and Authentication with Cloud Web Security Connector, page 3-7

How to Configure and Use Features in Cloud Connector Mode Use of the features included in the Cloud Connector subset is the same as in standard mode, except as noted. See Comparison of Modes of Operation, page 2-2 for additional information.

This chapter links to locations within this documentation that provide information about some of the major features of the Web Security Appliance that are common to both standard mode and Cloud Web Security Connector mode. With the exception of Cloud Connector configuration settings and information about sending directory groups to the cloud, relevant information is in other locations throughout this document.

This chapter includes information about configuring the Cloud Web Security Connector that is not applicable in standard mode.

This document does not include information about the Cisco Cloud Web Security product. Cisco Cloud Web Security documentation is available from http://www.cisco.com/c/en/us/support/security/cloud-web-security/tsd-products-support-series-home.html.

http://www.cisco.com/c/en/us/support/security/cloud-web-security/tsd-products-support-series-home.html



Chapter 3 Connect the Appliance to a Cisco Cloud Web Security Proxy Deployment in Cloud Connector Mode

Deployment in Cloud Connector Mode When you initially set up the appliance, you choose whether to deploy in Cloud Connector mode or standard mode. You can also run the System Setup Wizard on an appliance that is currently deployed in standard mode to redeploy it in Cloud Connector mode, if you have the required licensing. Running the System Setup Wizard overwrites your existing configurations and deletes all existing data.

Deployment of the appliance is the same in both standard and Cloud Security mode except that on-site web proxy services and Layer-4 Traffic Monitor services are not available in Cloud Web Security Connector mode.

You can deploy the Cloud Web Security Connector in either explicit forward mode or in transparent mode.

To modify Cloud Connector settings after initial setup, select Network > Cloud Connector.

Related Topics

• Chapter 2, “Connect, Install, and Configure”

Configuring the Cloud ConnectorBefore You Begin

See Enabling Access to the Web Interface on Virtual Appliances, page 1-3.

Step 1 Access the Web Interface for the Web Security Appliance:

Enter the IPv4 address of the Web Security appliance in an Internet browser.

The first time you run the System Setup Wizard, use the default IPv4 address:

https://192.168.42.42:8443

-or-

http://192.168.42.42:8080

where 192.168.42.42 is the default IPv4 address, and 8080 is the default admin port setting for HTTP, and 8443 is default admin port for HTTPS.

Step 2 Select System Administration > System Setup Wizard.

Step 3 Accept the terms of the license agreement.

Step 4 Click Begin Setup.

Step 5 Configure system settings:

Setting Description

Default System Hostname The fully-qualified hostname for the Web Security appliance.

DNS Server(s) The Internet root DNS servers for domain name service lookups.

See also DNS Settings, page 2-32.

NTP Server A server with which to synchronize the system clock. The default is time.ironport.com.

Time Zone Sets the time zone on the appliance so that timestamps in message headers and log files are correct.


Chapter 3 Connect the Appliance to a Cisco Cloud Web Security Proxy Configuring the Cloud Connector

Step 6 Select Cloud Web Security Connector for the appliance mode.

Step 7 Configure Cloud Connector settings:

Step 8 Configure network interfaces and wiring:

Step 9 Configure routes for Management and Data traffic:

Step 10 Configure transparent connection settings:

Note By default, the Cloud Connector is deployed in transparent mode. which requires a connection to a Layer-4 switch or a version 2 WCCP router

Setting Description

Cloud Web Security Proxy Servers The address of the Cloud Proxy Server (CPS), for example, proxy1743.scansafe.net.

Failure Handling If AsyncOS fails to connect to a Cloud Web Security proxy, either Connect directly to the Internet or Drop requests.

Cloud Web Security Authorization Scheme

Method for authorizing transactions:

• Web Security Appliance public facing IPv4 address

• Authorization key included with each transaction. You can generate an authorization key within the Cisco Cloud Web Security Portal.

Setting Description

Ethernet Port If you configure the M1 interface for management traffic only, you must configure the P1 interface for data traffic. However, you can configure the P1 interface even when the M1 interface is used for both management and data traffic.

IP Address The IPv4 address to use to manage the Web Security appliance.

Network Mask The network mask to use when managing the Web Security appliance on this network interface.

Hostname The hostname to use when managing the Web Security appliance on this network interface.

Setting Description

Default Gateway The default gateway IPv4 address to use for the traffic through the Management and/or Data interface.

Name A name used to identify the static route.

Internal Network The IPv4 address for this route’s destination on the network.

Internal Gateway The gateway IPv4 address for this route. A route gateway must reside on the same subnet as the Management or Data interface on which it is configured.


Chapter 3 Connect the Appliance to a Cisco Cloud Web Security Proxy Configuring the Cloud Connector

Step 11 Configure administrative settings:

Step 12 Review and install:

a. Review the installation.

b. Click Previous to go back and make changes.

c. Click Install This Configuration to continue with the information you provided.

Related Topics

• Preventing Loss of Secure Data, page 3-6




• Managing Alerts, page 22-14

• Configuring SMTP Relay Host Settings, page 2-31

Setting Description

Layer-4 Switch

or

No Device

• The Web Security appliance is connected to a layer 4 switch.

or

• You will deploy the Cloud Connector in explicit forward mode.

WCCP v2 Router The Web Security appliance is connected to a version 2 WCCP capable router.

Note: A passphrase can contain up to seven characters and is optional.

Setting Description

Administrator Passphrase A passphrase to access the Web Security appliance. The passphrase must be six characters or more.

Email system alerts to An email address to which the appliance sends alerts.

Send Email via SMTP Relay Host (Optional) A hostname or address for an SMTP relay host that AsyncOS uses for sending system generated email messages.

The default SMTP relay host is the mail servers listed in the MX record.

The default port number is 25.

AutoSupport The appliance can send system alerts and weekly status report to Cisco Customer Support.


Chapter 3 Connect the Appliance to a Cisco Cloud Web Security Proxy Controlling Web Access Using Directory Groups in the Cloud

Controlling Web Access Using Directory Groups in the CloudYou can use Cisco Cloud Web Security to control web access based on directory groups. When traffic to Cisco Cloud Web Security is being routed through a Web Security Appliance in Cloud Connector mode, Cisco Cloud Web Security needs to receive the directory-group information with the transactions from the Cloud Connector so it can apply the group-based cloud policies.

Before You Begin

• Add an authentication realm to the Web Security Appliance configuration.

Step 1 Navigate to Network > Cloud Connector.

Step 2 In the Cloud Policy Directory Groups area, click Edit Groups.

Step 3 Select the User Groups and Machine Groups for which you have created Cloud Policies within Cisco Cloud Web Security.

Step 4 Click Add.

Step 5 Click Done and Commit your changes.

Related information

• Authentication Realms, page 5-10

Bypassing the Cloud Proxy ServerCloud routing policies allow you to route web traffic to either Cisco Cloud Web Security proxies or directly to the Internet based on these characteristics:

• Identification Profile

• Proxy Port

• Subnet

• URL Category

• User Agent

The process of creating cloud routing policies in Cloud Connector mode is identical to the process of creating routing policies using the standard mode.

Related Topics


Partial Support for FTP and HTTPS in Cloud Connector Mode The Web Security appliance in Cloud Connector mode does not fully support FTP or HTTPS.

FTP

FTP is not supported by the Cloud Connector. AsyncOS drops native FTP traffic when the appliance is configured for Cloud Connector.


Chapter 3 Connect the Appliance to a Cisco Cloud Web Security Proxy Preventing Loss of Secure Data

FTP over HTTP is supported in Cloud Connector mode.

HTTPS

The Cloud Connector does not support decryption. It passes HTTPS traffic without decrypting.

Because the Cloud Connector does not support decryption, AsyncOS generally does not have access to information in the client headers of HTTPS traffic. Therefore, AsyncOS generally cannot enforce routing policies that rely on information in encrypted headers. This is always the case for transparent HTTPS transactions. For example, for transparent HTTPS transactions, AsyncOS does not have access to the port number in the HTTPS client header and therefore it cannot match a routing policy based on port number. In this case, AsyncOS uses the default routing policy.

There are two exceptions for explicit HTTPS transactions. AsyncOS has access to the following information for explicit HTTPS transactions:

• URL

• Destination port number

For explicit HTTPS transactions, it is possible to match a routing policy based on URL or port number.

Preventing Loss of Secure DataYou can integrate the Cloud Connector with external Data Loss Prevention servers through Network > External DLP Servers.

Related Topics

• Chapter 16, “Prevent Loss of Sensitive Data”

Viewing Group and User Names and IP Addresses To view the configured group names, user names, and IP addresses, go to whoami.scansafe.net.

Subscribing to Cloud Connector LogsThe Cloud Connector Logs provides useful information for troubleshooting problems with the Cloud Connector, for example, authenticated users and groups, the Cloud header, and the authorization key.

Step 1 Navigate to System Administration > Log Subscriptions.

Step 2 Select Cloud Connector Logs from the Log Type menu.

Step 3 Type a name in the Log Name field.

Step 4 Set the log level.

Step 5 Submit and Commit your changes.

Related Topics

• Chapter 21, “Monitor System Activity Through Logs”


Chapter 3 Connect the Appliance to a Cisco Cloud Web Security Proxy Identification Profiles and Authentication with Cloud Web Security Connector

Identification Profiles and Authentication with Cloud Web Security Connector

The Cloud Web Security Connector supports basic authentication and NTLM. You can also bypass authentication for certain destinations.

In Cloud Connector mode, using an Active Directory realm, you can identify transaction requests as originating from specific machines. The Machine ID service is not available in standard mode.

With two exceptions, Authentication works the same throughout the Web Security Appliance, whether in standard configuration or Cloud Connector configuration. Exceptions:

• The Machine ID service is not available in standard mode.

• AsyncOS does not support Kerberos when the appliance is configured in Cloud Connector mode.

Note Identification Profiles based on User Agent or Destination URL are not supported for HTTPS traffic.

Related Topics

• Identifying Machines for Policy Application, page 3-7

• Guest Access for Unauthenticated Users, page 3-8

• Chapter 6, “Classify End-Users and Client Software”

• Chapter 5, “Acquire End-User Credentials”

Identifying Machines for Policy ApplicationBy enabling the Machine ID service, AsyncOS can apply policies based on the machine that made the transaction request rather than the authenticated user or IP address or some other identifier. AsyncOS uses NetBIOS to acquire the machine ID.

Before You Begin

• Be aware that the machine identity service is only available through Active Directory realms. If you do not have an Active Directory realm configured, this service is disabled.

Step 1 Select Network > Machine ID Service.

Step 2 Click Enable and Edit Settings.

Step 3 Configure Machine Identification settings:

Setting Description

Enable NetBIOS for Machine Identification Select to enable the machine identification service.

Realm The Active Directory realm to use to identify the machine that is initiating the transaction request.

Failure Handling If AsyncOS cannot identify the machine, should it drop the transaction or continue with policy matching?


Chapter 3 Connect the Appliance to a Cisco Cloud Web Security Proxy Identification Profiles and Authentication with Cloud Web Security Connector

Step 4 Submit and Commit your changes.

Guest Access for Unauthenticated UsersIf the Web Security appliance is configured to provide guest access for unauthenticated users, in Cloud Connector mode, AsyncOS assigns guest users to the group, __GUEST_GROUP__, and sends that information to Cisco Cloud Web Security. Use Identities to provide guest access to unauthenticated users. Use Cisco Cloud Web Security policies to control these guest users.

Related Topics

• Granting Guest Access After Failed Authentication, page 5-31

C H A P T E R


4Intercepting Web Requests

• Overview of Intercepting Web Requests, page 4-1.

• Tasks for Intercepting Web Requests, page 4-2.

• Best Practices for Intercepting Web Requests, page 4-2.

• Web Proxy Options for Intercepting Web Requests, page 4-3.

• Client Options for Redirecting Web Requests, page 4-11.

• Using PAC Files with Client Applications, page 4-11.

• FTP Proxy Services, page 4-14.

• SOCKS Proxy Services, page 4-16

Overview of Intercepting Web RequestsThe Web Security appliance intercepts requests that are forwarded to it by clients or other devices over the network.

The appliance works in conjunction with other network devices to intercept traffic. These may be ordinary switches, transparent redirection devices, network taps, and other proxy servers or Web Security appliances.


Chapter 4 Intercepting Web Requests Tasks for Intercepting Web Requests

Tasks for Intercepting Web Requests

Best Practices for Intercepting Web Requests• Enable only the proxy services you require.

• Use the same forwarding and return method (either L2 or GRE) for all WCCP services defined in the Web Security appliance. This allows the proxy bypass list to work consistently.

• Ensure that users cannot access PAC files from outside the corporate network. This allows your mobile workers to use the web proxy when they are on the corporate network and to connect directly to web servers at other times.

• Allow a web proxy to accept X-Forwarded-For headers from trustworthy downstream proxies or load balancers only.

• Leave the web proxy in the default transparent mode, even if initially using only explicit forwarding. Transparent mode also accepts explicitly forwarded requests.

Steps Task Links to Related Topics and Procedures

1. Review best practices. • Best Practices for Intercepting Web Requests, page 4-2

2. (Optional) Perform follow up networking tasks:

• Connect and configure upstream proxies.

• Configure network interface ports.

• Configure transparent redirection devices.

• Configure TCP/IP routes.

• Configure VLANs.





• Increasing Interface Capacity Using VLANs, page 2-28

3. (Optional) Perform follow up Web Proxy tasks:

• Configure the web proxy to operate in either Forward or Transparent mode.

• Decide if additional services are needed for the protocol types you want to intercept

• Configure IP spoofing.

• Manage the web proxy cache.

• Use custom web request headers.

• Bypass the proxy for some requests.

• Web Proxy Options for Intercepting Web Requests, page 4-3

• Configuring Web Proxy Settings, page 4-3

• Web Proxy Options for Intercepting Web Requests, page 4-3

• Web Proxy Cache, page 4-5

• Web Proxy IP Spoofing, page 4-8

• Web Proxy Bypassing, page 4-10

4. Perform client tasks:

• Decide how clients should redirect requests to the web proxy.

• Configure clients and client resources.

• Client Options for Redirecting Web Requests, page 4-11

• Using PAC Files with Client Applications, page 4-11

5. (Optional) Enable and Configure the FTP proxy. • FTP Proxy Services, page 4-14


Chapter 4 Intercepting Web Requests Web Proxy Options for Intercepting Web Requests

Web Proxy Options for Intercepting Web RequestsBy itself, the Web Proxy can intercept web requests that use HTTP (including FTP over HTTP) and HTTPS. Additional proxy modules are available to enhance protocol management:

• FTP Proxy. The FTP Proxy allows the interception of native FTP traffic (rather than just FTP traffic that has been encoded within HTTP).

• HTTPS Proxy. The HTTPS proxy supports the decryption of HTTPS traffic and allows the web proxy to pass unencrypted HTTPS requests on to policies for content analysis.

Note When in transparent mode, the Web Proxy drops all transparently redirected HTTPS requests if the HTTPS proxy is not enabled. No log entries are created for dropped transparently redirected HTTPS requests.

• SOCKS Proxy. The SOCKS proxy allows the interception of SOCKS traffic.

Each of these additional proxies requires the Web Proxy in order to function.You cannot enable them if you disable the Web Proxy.

Note The Web proxy is enabled by default. All other proxies are disabled by default.

Related Topics

• FTP Proxy Services, page 4-14.

• SOCKS Proxy Services, page 4-16

Configuring Web Proxy Settings

Before You Begin

• Enable the web proxy.

Step 1 Choose Security Services > Web Proxy.


Step 3 Configure the basic web proxy settings as required.


HTTP Ports to Proxy The ports that the web Proxy will listen on for HTTP connections

HTTP CONNECT Ports The ports applications are allowed to use for tunneling outbound traffic over HTTP.

Caching Specifies whether to enable or disable Web Proxy caching.

The web proxy caches data to increase performance.



Step 4 Complete the advanced web proxy settings as required.

Proxy mode • Forward — Allow the client browser to name the internet target. Requires individual configuration of each web browser to use the web proxy. The web proxy can intercept only explicitly forwarded web requests in this mode.

• Transparent (Recommended) — Allow the web proxy to name the internet target. The web proxy can intercept both transparent and explicitly forwarded web requests in this mode.

IP Spoofing • IP Spoofing disabled — The web proxy changes the request source IP address to match its own address to increase security.

• IP Spoofing enabled — The web proxy retains the source address so that it appears to originate from the source client rather than from the Web Security appliance.


Persistent Connection Timeout

The maximum time in seconds the web proxy keeps open a connection to a client or server after a transaction has been completed and no further activity is detected.

• Client side. The timeout value for connections to clients.

• Server side. The timeout value for connections to servers.

If you increase these values connections will remain open longer and reduce the overhead used to open and close connections repeatedly. However, you also reduce the ability of the Web Proxy to open new connections if the maximum number of simultaneous persistent connections has been reached.

Cisco recommends keeping the default values.

In-Use Connection Timeout

The maximum time in seconds that the web proxy waits for more data from an idle client or server when the current transaction has not yet been com-pleted.

• Client side. The timeout value for connections to clients.

• Server side. The timeout value for connections to servers.

Simultaneous Persistent Connections (Server Maximum Number)

The maximum number of connections (sockets) the Web Proxy keeps open with servers.





Related Topics



Web Proxy CacheThe web proxy caches data to increase performance. AsyncOS includes defined caching modes that range from safe to aggressive, and also allows customized caching. You can also exclude specific URLs from being cached, either by removing them from the cache, or by configuring the cache to ignore them.

Clearing the Web Proxy Cache

Step 1 Choose Security Services > Web Proxy.

Step 2 Click Clear Cache and confirm your action.

Generate Headers Generate and add headers that encode information about the request.

• X-Forwarded-For headers encode the IP address of the client from which an HTTP request originated.

Note To turn header forwarding on or off, use the CLI advancedproxyconfig command, Miscellaneous option, “Do you want to pass HTTP X-Forwarded-For headers?”

Note Using an explicit forward upstream proxy to manage user authentication or access control with proxy authentication requires forwarding of these headers.

• Request Side VIA headers encode the proxies through which the request passed on its way from the client to the server.

• Response Side VIA headers encode the proxies through which the request passed on its way from the server to the client.

Use Received Headers Allows a Web proxy deployed as an upstream proxy to identify clients using X-Forwarded-For headers send by downstream proxies. The Web Proxy will not accept the IP address in a X-Forwarded-For header from a source that is not included in this list.

If enabled, requires the IP address of a downstream proxy or load balancer (you cannot enter subnets or host names).



Removing URLs from the Web Proxy Cache


Step 2 Use the webcache > evict commands to access the required caching area:

example.com> webcache

Choose the operation you want to perform:- EVICT - Remove URL from the cache- DESCRIBE - Describe URL cache status- IGNORE - Configure domains and URLs never to be cached[]> evict

Enter the URL to be removed from the cache.[]>

Step 3 Enter the URL to be removed from the cache.

Note If you do not include a protocol in the URL, http:// will be prepended to it (e.g., www.cisco.com will become http://www.cisco.com)

Specifying Domains or URLs that the Web Proxy never Caches


Step 2 Use the webcache -> ignore commands to access the required submenus:

example.com> webcache

Choose the operation you want to perform:- EVICT - Remove URL from the cache- DESCRIBE - Describe URL cache status- IGNORE - Configure domains and URLs never to be cached[]> ignore

Choose the operation you want to perform:- DOMAINS - Manage domains- URLS - Manage urls[]>

Step 3 Enter the address type you wish to manage: DOMAINS or URLS.

[]> urls

Manage url entries:

Choose the operation you want to perform:- DELETE - Delete entries- ADD - Add new entries- LIST - List entries[]>

Step 4 Enter add to add new entries:

[]> add



Enter new url values; one on each line; an empty line to finish[]>

Step 5 Enter domains or URLs, one per line; for example:

Enter new url values; one on each line; an empty line to finish[]> www.example1.com

Enter new url values; one on each line; an empty line to finish[]>

You can include certain regular expression (regex) characters when specifying a domain or URLs. With the DOMAINS option, you can use a preceding dot character to exempt an entire domain and its subdomains from caching. For example, you can enter .google.com rather than simply google.com to exempt www.google.com, docs.google.com, and so on.

With the URLS option, you can use the full suite of regular-expression characters. See Regular Expressions, page 9-21 for more information about using regular expressions.

Step 6 When you are finished entering values, press Enter until you are returned to the main command-line interface.


Choosing The Web Proxy Cache Mode


Step 2 Use the advancedproxyconfig -> caching commands to access the required submenus:


Choose a parameter group:- AUTHENTICATION - Authentication related parameters- CACHING - Proxy Caching related parameters- DNS - DNS related parameters- EUN - EUN related parameters- NATIVEFTP - Native FTP related parameters- FTPOVERHTTP - FTP Over HTTP related parameters- HTTPS - HTTPS related parameters- SCANNING - Scanning related parameters- PROXYCONN - Proxy connection header related parameters- CUSTOMHEADERS - Manage custom request headers for specific domains- MISCELLANEOUS - Miscellaneous proxy related parameters- SOCKS - SOCKS Proxy parameters[]> caching

Enter values for the caching options:

The following predefined choices exist for configuring advanced cachingoptions:1. Safe Mode2. Optimized Mode3. Aggressive Mode4. Customized ModePlease select from one of the above choices:[2]>



Step 3 Enter a number corresponding to the web proxy cache settings you require:

Step 4 If you chose option 4 (Customized mode), enter values (or leave at the default values) for each of the custom settings.

Step 5 Press Enter until you return to the main command interface.


Related Topics


Web Proxy IP SpoofingWhen the web proxy forwards a request, it changes the request source IP address to match its own address by default. This increases security, but you can change this behavior by implementing IP spoofing, so that requests retain their source address and appear to originate from the source client rather than from the Web Security appliance.

IP spoofing works for transparent and explicitly forwarded traffic. When the Web Proxy is deployed in transparent mode, you have the choice to enable IP spoofing for transparently redirected connections only or for all connections (transparently redirected and explicitly forwarded). If explicitly forwarded connections use IP spoofing, you should ensure that you have appropriate network devices to route return packets back to the Web Security appliance.

When IP spoofing is enabled and the appliance is connected to a WCCP router, you must configure two WCCP services: one based on source ports and one based on destination ports.

Related Topics

• Configuring Web Proxy Settings, page 4-3.

• Configuring WCCP Services, page 2-25.

Entry Mode Description

1 Safe The least caching and the most adherence to RFC #2616 compared to the other modes.

2 Optimized Moderate caching and moderate adherence to RFC #2616. Compared to safe mode, in optimized mode the Web Proxy caches objects when no caching time is specified when a Last-Modified header is present. The Web Proxy caches negative responses.

3 Aggressive The most caching and the least adherence to RFC #2616. Compared to optimized mode, aggressive mode caches au-thenticated content, ETag mismatches, and content without a Last-Modified header. The Web Proxy ignores the no-cache parameter.

4 Customized mode Configure each parameter individually.



Web Proxy Custom HeadersYou can add custom headers to specific outgoing transactions to request special handling from destination servers. For example, if you have a relationship with YouTube for Schools, you can use a custom header to identify transaction requests to YouTube.com as coming from your network and as requiring special handling.

Adding Custom Headers To Web Requests


Step 2 Use the advancedproxyconfig -> customheaders commands to access the required submenus:


Choose a parameter group:- AUTHENTICATION - Authentication related parameters- CACHING - Proxy Caching related parameters- DNS - DNS related parameters- EUN - EUN related parameters- NATIVEFTP - Native FTP related parameters- FTPOVERHTTP - FTP Over HTTP related parameters- HTTPS - HTTPS related parameters- SCANNING - Scanning related parameters- PROXYCONN - Proxy connection header related parameters- CUSTOMHEADERS - Manage custom request headers for specific domains- MISCELLANEOUS - Miscellaneous proxy related parameters- SOCKS - SOCKS Proxy parameters[]> customheaders

Currently defined custom headers:

Choose the operation you want to perform:- DELETE - Delete entries- NEW - Add new entries- EDIT - Edit entries[]>

Step 3 Enter the required subcommand as follows:

Step 4 Press Enter until you return to the main command interface.

Option Description

Delete Deletes the custom header you identify. Identify the header to delete using the number associated with the header in the list returned by the command.

New Creates the header you provide for use with the domain or domains you specify.

Example header:

X-YouTube-Edu-Filter: ABCD1234567890abcdef

(The value in this case is a unique key provided by YouTube.)

Example domain:

youtube.com

Edit Replaces an existing header with one you specify. Identify the header to delete using the number associated with the header in the list returned by the command.




Web Proxy Bypassing• Web Proxy Bypassing for Web Requests, page 4-10

• Configuring Web Proxy Bypassing for Web Requests, page 4-10

• Configuring Web Proxy Bypassing for Applications, page 4-10

Web Proxy Bypassing for Web Requests

You can configure the Web Security appliance so that transparent requests from particular clients, or to particular destinations, bypass the Web Proxy.

Bypassing the web proxy allows you to:

• Prevent interference with non-HTTP-compliant (or proprietary) protocols that use HTTP ports but do not work properly when they connect to a proxy server.

• Ensure that traffic from a particular machine inside the network, such as a malware test machine, bypasses the Web Proxy and all its built-in security protection.

Bypassing only works for requests that are transparently redirected to the web proxy. The web proxy processes all requests that clients explicitly forward to it, whether the proxy is in transparent or forward mode.

Configuring Web Proxy Bypassing for Web Requests

Step 1 Choose Web Security Manager > Bypass Settings.

Step 2 Click Edit Bypass Settings.

Step 3 Enter the addresses for which you wish to bypass the web proxy.


Configuring Web Proxy Bypassing for Applications

Step 1 Choose Web Security Manager > Bypass Settings.

Step 2 Click Edit Application Bypass Settings.

Step 3 Select the application(s) you wish to bypass scanning for.



Chapter 4 Intercepting Web Requests Client Options for Redirecting Web Requests

Web Proxy Usage AgreementYou can configure the Web Security appliance to inform users that it is filtering and monitoring their web activity. The appliance does this by displaying an end-user acknowledgment page when a user first accesses a browser after a certain period of time. When the end-user acknowledgment page appears, users must click a link to access the original site requested or any other website.

Related Topics

• Notify End-Users of Proxy Actions

Client Options for Redirecting Web RequestsIf you choose to have clients explicitly forward requests to the web proxy, you must also decide how to configure the clients to do this. Choose from the following methods:

• Configure Clients Using Explicit Settings. Configure clients with the web proxy hostname and port number. See individual client documentation for details on how to do this.

Note The web proxy port uses port numbers 80 and 3128 by default. Clients can use either port.

• Configure Clients Using a Proxy Auto-Config (PAC) File. PAC files provide clients with instructions on where to direct web requests. This options allows you to centrally manage subsequent changes to the proxy details.

If you choose to use PAC files, you must also choose where to store them and how clients will find them.

Related Topics


Using PAC Files with Client Applications

Options For Publishing Proxy Auto-Config (PAC) FilesYou must publish PAC files where clients can access them. Valid locations are:

• Web servers.

• Web Security appliances. You can place PAC files on a Web Security appliance, which appears to clients as a web browser. The appliance also offers additional options to manage PAC files, including the ability to service requests that use different hostnames, ports, and file names.

• Local machines. You can place the PAC file locally on a client’s hard disk. Cisco does not recommend this as a general solution, and it is not suited to automatic PAC file detection methods, but it can be useful for testing.

Related Topics

• Hosting PAC Files on the Web Security Appliance, page 4-12.

• Specifying PAC Files in Client Applications, page 4-13.


Chapter 4 Intercepting Web Requests Using PAC Files with Client Applications

Client Options For Finding Proxy Auto-Config (PAC) FilesIf you choose to use PAC files for your clients, you must also choose how clients will find the PAC files. You have two options:

• Configure client with the PAC file location. Configure the client with a URL that specifically points to the PAC file.

• Configure clients to detect the PAC file location automatically. Configure clients to find PAC files automatically using the WPAD protocol along with DHCP or DNS.

Automatic PAC File Detection

WPAD is a protocol that allows the browser determine the location of a PAC file using DHCP and DNS.

• To use WPAD with DHCP, you must set up option 252 on the DHCP server’s with the url of the PAC file location. Not all browsers support DHCP, however.

• To use WPAD with DNS, you must configure a DNS record to point to the PAC file’s host server.

You can configure either or both options. WPAD will first try to find PAC files using DHCP, and if it cannot, it will then try DNS.

Related Topics

• Detecting the PAC File Automatically in Clients, page 4-13

Hosting PAC Files on the Web Security Appliance

Step 1 Choose Security Services > PAC File Hosting

Step 2 Click Enable and Edit Settings.

Step 3 (Optional) Complete the following basic settings:

Step 4 Click Browse in the PAC Files section and select a PAC file from your local machine for upload to the Web Security appliance.

Note If the file you select is called default.pac, you do not have to specify the file name when configuring its location in a browser. The Web Security appliance looks for a file called default.pac if no name is specified.

Step 5 Click Upload to upload the PAC file selected in step 4 to the Web Security appliance.

Option Description

PAC Server Ports The ports that the Web Security appliance will use to listen for PAC file requests.

PAC File Expiration Allows the PAC file to expire after a specified number of minutes in the browser’s cache.


Chapter 4 Intercepting Web Requests Using PAC Files with Client Applications

Step 6 (Optional) In the Hostnames for Serving PAC Files Directly section, configure hostnames and associated

file names for PAC file requests that do not include a port number(BS: such as DNS WPAD requests?):


Specifying PAC Files in Client Applications• Configuring a PAC File Location Manually in Clients, page 4-13

• Detecting the PAC File Automatically in Clients, page 4-13

Configuring a PAC File Location Manually in Clients

Step 1 Create and publish a PAC file.

Step 2 Enter a URL in your browser’s PAC file configuration area that points to the PAC file location.

The following are valid URL formats if the Web Security appliance is hosting the PAC file:

http://server_address[.domain][:port][/filename] | http://WSAHostname[/filename]

where WSAHostname is the hostname value configured when hosting the PAC file on a Web Security appliance. Otherwise the URL format will depend on the storage location and, in some cases, on the client.

Related Topics


Detecting the PAC File Automatically in Clients

Step 1 Create a PAC file called wpad.dat and publish it to a web server or Web Security appliance (the file must be placed in a web server’s root folder if you intend using WPAD with DNS).

Step 2 Configure the web server to set up .dat files with the following MIME type:

application/x-ns-proxy-autoconfig

Option Description

Hostname The hostname that the PAC file request must include if the Web Security appliance is to service the request. As the request does not include a port number, it will be processed through the Web Proxy HTTP ports (e.g. port 80) and must be distinguishable as a PAC file request through this hostnam-evalue.

Default PAC File for "Get/" Request through Proxy Port

The PAC file name that will be associated with the hostname on the same row. Request to the hostname will return the PAC file specified here.

Only PAC files that have been uploaded are available for selection.

Add Row Adds another row to specify additional hostnames and PAC file names.


Chapter 4 Intercepting Web Requests FTP Proxy Services

Note A Web Security appliance does this for you automatically.

Step 3 To support DNS lookup, create an internally resolvable DNS name beginning with ‘wpad’ (for example, wpad.example.com) and associate it with the IP address of the server hosting the wpad.dat file.

Step 4 To support DHCP lookup, configure your DHCP server’s option 252 with the url of the wpad.dat file location (for example: “http://wpad.example.com/wpad.dat”). The URL can use any valid host address, including an IP address, and does not require a specific DNS entry.

Related Topics



• WPAD Not Working With Firefox, page A-4

FTP Proxy Services• Overview of FTP Proxy Services, page 4-14

• Enabling and Configuring the FTP Proxy, page 4-14

Overview of FTP Proxy ServicesThe web proxy can intercept two types of FTP requests:

• Native FTP. Native FTP requests are generated by dedicated FTP clients (or by browsers using built-in FTP clients). Requires the FTP proxy.

• FTP over HTTP. Browsers sometimes encode FTP requests inside HTTP requests, rather than using native FTP. Does not require the FTP proxy.

Related Topics

• Enabling and Configuring the FTP Proxy, page 4-14.

• Configuring FTP Notification Messages, page 17-9.

Enabling and Configuring the FTP Proxy

Note To configure proxy settings that apply to FTP over HTTP connections, see Configuring Web Proxy Settings, page 4-3.

Step 1 Choose Security Services > FTP Proxy.

Step 2 Click Enable and Edit Settings (if the only available option is Edit Settings then the FTP proxy is already enabled).


Chapter 4 Intercepting Web Requests FTP Proxy Services

Step 3 (Optional) Configure the basic FTP Proxy settings.

Step 4 (Optional) Configure the advanced FTP Proxy settings:


Proxy Listening Port The port that the FTP Proxy will listen to for FTP control connections. Clients should use this port when configuring an FTP proxy (not as the port for connecting to FTP servers, which normally use port 21).

Caching Whether of not data connections from anonymous users are cached.

Note Data from non-anonymous users is never cached.

Server Side IP Spoofing Allows the FTP Proxy to imitate the FTP server’s IP address. This supports FTP clients that do not allow transactions when the IP address is different for the control and data connections.

Authentication Format Allows a choice of authentication format the FTP Proxy can use when com-municating with FTP clients.

Passive Mode Data Port Range

The range of TCP ports that FTP clients should use to establish a data con-nection with the FTP Proxy for passive mode connections.

Active Mode Data Port Range

The range of TCP ports FTP servers should use to establish a data connection with the FTP Proxy for active mode connections. This setting applies to both native FTP and FTP over HTTP connections.

Increasing the port range accommodates more requests from the same FTP server. Because of the TCP session TIME-WAIT delay (usually a few minutes), a port does not become available again for the same FTP server im-mediately after being used. As a result, any given FTP server cannot connect to the FTP Proxy in active mode more than n times in a short period of time, where n is the number of ports specified in this field.

Welcome Banner The welcome banner that appears in FTP clients during connection. Choose from:

• FTP server message. The message will be provided by the destination FTP server. This option is only available when the web proxy is config-ured for transparent mode, and only applies for transparent connections.

• Custom message. When selected, this custom message is displayed for all native FTP connections. When not selected, this is still used for explicit forward native FTP connections.



Chapter 4 Intercepting Web Requests SOCKS Proxy Services


Related Topics

• Overview of FTP Proxy Services, page 4-14.

SOCKS Proxy Services• Overview of SOCKS Proxy Services, page 4-16

• Enabling Processing of SOCKS Traffic, page 4-17

• Configuring the SOCKS Proxy, page 4-17

• Creating SOCKS Policies, page 4-17

Overview of SOCKS Proxy ServicesThe Web Security appliance includes a SOCKS proxy to process SOCKS traffic. SOCKS policies are the equivalent of access policies that control SOCKS traffic. Similar to access policies, you can make use of Identification Profiles to specify which transactions are governed by each SOCKS policy. Once SOCKS policies are applied to transactions, routing policies can then govern routing of the traffic.

Note the following regarding the SOCKS proxy:

• The SOCKS protocol only supports direct forward connections.

• The SOCKS proxy does not support (will not forward to) upstream proxies.

• The SOCKS proxy does not support scanning services, which are used by Application Visibility and Control (AVC), Data Loss Prevention (DLP), and malware detection.

• The SOCKS proxy does not support policy tracing.

• The SOCKS proxy does not decrypt SSL traffic; it tunnels from client to server.

Control Connection Timeouts

The maximum number of seconds the FTP Proxy waits for more communi-cation in the control connection from an idle FTP client or FTP server when the current transaction has not been completed.

• Client side. The timeout value for control connections to idle FTP clients.

• Server side. The timeout value for control connections to idle FTP servers.

Data Connection Timeouts

How long the FTP Proxy waits for more communication in the data connec-tion from an idle FTP client or FTP server when the current transaction has not been completed.

• Client side. The timeout value for data connections to idle FTP clients.

• Server side. The timeout value for data connections to idle FTP servers.


Chapter 4 Intercepting Web Requests SOCKS Proxy Services

Enabling Processing of SOCKS Traffic

Before You Begin

• Enable the Web Proxy.

Step 1 Choose Security Services > SOCKS Proxy.


Step 3 Select Enable SOCKS Proxy.

Step 4 Submit and Commit Changes.

Configuring the SOCKS Proxy

Step 1 Choose Security Services > SOCKS Proxy.


Step 3 Select Enable SOCKS Proxy.

Step 4 Configure the basic and advanced SOCKS Proxy settings.

Creating SOCKS Policies

Step 1 Choose Web Security Manager > SOCKS Policies.

Step 2 Click Add Policy.

Step 3 Assign a name in the Policy Name field.

Note Each policy group name must be unique and only contain alphanumeric characters or the space character.


SOCKS Proxy Enabled.

SOCKS Control Ports Ports that accept SOCKS requests. Default is 1080.

UDP Request Ports UDP ports on which the SOCKS server should listen. Default is 16000-16100.

Proxy Negotiation Timeout Time to wait (in seconds) to send or receive data from a SOCKS client in the negotiation phase. Default is 60.

UDP Tunnel Timeout Time to wait (in seconds) for data from a UDP client or server before closing the UDP tunnel. Default is 60.


Chapter 4 Intercepting Web Requests Troubleshooting Intercepting Requests

Step 4 (Optional) Add a description.

Step 5 In the Insert Above Policy field, choose where in the SOCKS policies table to insert this SOCKS policy.

Note When configuring multiple SOCKS policies, determine a logical order for each policy. Order your policies to ensure that correct matching occurs.

Step 6 In the Identities and Users section, choose one or more Identities to apply to this policy group.

Step 7 (Optional) Expand the Advanced section to define additional membership requirements.


What to Do Next

• (Optional) Add an Identity for use with SOCKS Policies.

• Add one or more SOCKS Policies to manage SOCKS traffic.

Troubleshooting Intercepting Requests• URL Categories Do Not Block Some FTP Sites, page A-6

Advanced Option Description

Proxy Ports The port configured in the browser.

(Optional) Define policy group membership by the proxy port used to access the Web Proxy. Enter one or more port numbers in the Proxy Ports field. Separate multiple ports with commas.

You might want to define policy group membership on the proxy port if you have one set of clients configured to explicitly forward requests on one port, and another set of clients configured to explicitly forward requests on a different port.

Note If the Identity associated with this policy group defines Identity membership by this advanced setting, the setting is not configurable at the SOCKS policy group level.

Subnets (Optional) Define policy group membership by subnet or other addresses.

You can choose to use the addresses that may be defined with the associated Identity, or you can enter specific addresses here.

Note If the Identity associated with this policy group defines its membership by addresses, then in this policy group you must enter addresses that are a subset of the Identity’s addresses. Adding addresses in the policy group further narrows down the list of transactions that match this policy group.

Time Range (Optional) Define policy group membership by time range:

1. Select a time range from the Time Range field.

2. Specify whether this policy group should apply to the times inside or outside the selected time range.



• Large FTP Transfers Disconnect, page A-6

• Zero Byte File Appears On FTP Servers After File Upload, page A-6

• Unable to Route FTP Requests Via an Upstream Proxy, page A-22

• HTTPS and FTP over HTTP Requests Match only Access Policies that Do Not Require Authentication, page A-16

• User Matches Global Policy for HTTPS and FTP over HTTP Requests, page A-16



C H A P T E R


5Acquire End-User Credentials

• Overview of Acquire End-User Credentials, page 5-1

• Authentication Best Practices, page 5-2

• Authentication Realms, page 5-10

• Failed Authentication, page 5-28

• Credentials, page 5-35

• Troubleshooting Authentication, page 5-37

Overview of Acquire End-User Credentials

Server Type/RealmAuthentication Scheme Supported Network Protocol Notes

Active Directory Kerberos

NTLMSSP

Basic

HTTP, HTTPS

Native FTP, FTP over HTTP

SOCKS (Basic authentication)

Kerberos is only supported in Standard mode. It is not supported in Cloud Connector mode.

LDAP Basic HTTP, HTTPS

Native FTP, FTP over HTTP

SOCKS

—


Chapter 5 Acquire End-User Credentials Authentication Best Practices

Authentication Task Overview

Authentication Best Practices• Create as few Active Directory realms as is practical. Multiple Active Directory realms require

additional memory usage for authentication.

• If using NTLMSSP, authenticate users using either the Web Security appliance or the upstream proxy server, but not both. (Recommend Web Security appliance)

• If using Kerberos, authenticate using the Web Security appliance.

• For optimal performance, authenticate clients on the same subnet using a single realm.

• Some user agents are known to have issues with machine credentials or authentication failures, which can negatively impact normal operations. You should bypass authentication with these user agents. See Bypassing Authentication with Problematic User Agents, page 5-29.

Authentication Planning• Active Directory/Kerberos, page 5-3

• Active Directory/Basic, page 5-4

• Active Directory/NTLMSSP, page 5-5

• LDAP/Basic, page 5-5

• Identifying Users Transparently, page 5-5

Step Task Links to Related Topics and Procedures

1. Create an authentication realm. • How to Create an Active Directory Authentication Realm (NTLMSSP and Basic), page 5-14

• Creating an LDAP Authentication Realm, page 5-16

2. Configure global authentication settings. • Configuring Global Authentication Settings, page 5-21

3. Configure external authentication.

You can authenticate users through an external LDAP or RADIUS server.

• External Authentication, page 5-11

4. (Optional) Create and order additional authentication realms.

Create at least one authentication realm for each authentication protocol and scheme combination you plan to use.

• Creating Authentication Sequences, page 5-27

5. (Optional) Configure credential encryption. • Configuring Credential Encryption, page 5-36

6. Create Identification Profiles to classify users and client software based on authentication requirements.

• Classifying Users and Client Software, page 6-3

7. Create policies to manage Web requests from the users and user groups for which you created Identification Profiles.

• Managing Web Requests Through Policies Best Practices, page 10-3


Chapter 5 Acquire End-User Credentials Authentication Planning

Active Directory/Kerberos

Explicit Forward Transparent, IP-Based Caching Transparent, Cookie-Based Caching

Advantages:

• Better performance and interopera-bility when compared to NTLM

• Works with both Windows and non-Windows clients that have joined the domain

• Supported by all browsers and most other applications

• RFC-based

• Minimal overhead

• Works for HTTPS (CONNECT) requests

• Because the passphrase is not transmitted to the authentication server, it is more secure

• Connection is authenticated, not the host or IP address

• Achieves true single sign-on in an Active Directory environment when the client applications are configured to trust the Web Security appliance

Advantages:



• Works with all major browsers

• With user agents that do not support authentication, users only need to authenticate first in a supported browser

• Relatively low overhead

• Works for HTTPS requests if the user has previously authenticated with an HTTP request

Advantages:




• Authentication is associated with the user rather than the host or IP address

Disadvantages:

• Each new web domain requires the entire authentication process because cookies are domain specific

• Requires cookies to be enabled

• Does not work for HTTPS requests



Active Directory/Basic

Explicit Forward Transparent, IP-Based Caching Transparent, Cookie-Based Caching

Advantages:

• Supported by all browsers and most other applications

• RFC-based






Disadvantages:

• Passphrase sent as clear text (Base64) for every request

• No single sign-on

• Moderate overhead: each new connection needs to be re-authenticated

• Primarily supported on Windows only and with major browsers only

Advantages:





Disadvantages:

• Authentication credentials are associated with the IP address, not the user (does not work in Citrix and RDP environments, or if the user changes IP address)


• Passphrase is sent as clear text (Base64)

Advantages:


• Authentication is associated with the user rather than the host or IP address

Disadvantages:

• Each new web domain requires the entire authentication process because cookies are domain specific

• Requires cookies to be enabled

• Does not work for HTTPS requests





Active Directory/NTLMSSP

LDAP/Basic

Identifying Users TransparentlyTraditionally, users are identified and authenticated by prompting them to enter a user name and passphrase. These credentials are validated against an authentication server, and then the Web Proxy applies the appropriate policies to the transaction based on the authenticated user name.

Explicit Forward Transparent

Advantages:




Disadvantages:

• Moderate overhead: each new connection needs to be re-authenticated

• Primarily supported on Windows only and with major browsers only

Advantages:

• More Flexible

Transparent NTLMSSP authentication is similar to transparent Basic authentication except that the Web Proxy communicates with clients using challenge and response instead of basic clear text username and passphrase.

The advantages and disadvantages of using transparent NTLM authentication are the same as those of using transparent Basic authentication except that transparent NTLM authentication has the added advantaged of not sending the passphrase to the authentication server and you can achieve single sign-on when the client applications are configured to trust the Web Security appliance.

Explicit Forward Transparent

Advantages:

• RFC-based

• More browser support than NTLM



Disadvantages:


• Passphrase sent as clear text (Base64) for every request

Workarounds:


Advantages:

• More Flexible than explicit forward.

• More browser support than NTLM




Disadvantages:



• Authentication credentials are associated with the IP address, not the user (does not work in Citrix and RDP environments, or if the user changes IP address)

Workarounds:




However, you can configure the Web Security appliance to authenticate users transparently—that is, without prompting the end user for credentials. Transparent identification authenticates the user by means of credentials obtained from another trusted source, with the assumption that the user has already been authenticated by that trusted source, and then applies the appropriate policies.

You might want to identify users transparently to:

• Create a single sign-on environment so users are not aware of the presence of a proxy on the network.

• To apply authentication-based policies to transactions coming from client applications that are incapable of displaying an authentication prompt to end users.

Identifying users transparently only affects how the Web Proxy obtains the user name and assigns an Identification Profile. After it obtains the user name and assigns an Identification Profile, it applies all other policies normally, regardless of how it assigned the Identification Profile.

If transparent authentication fails, you can configure how to handle the transaction: you can grant the user guest access, or you can force an authentication prompt to appear to the user.

When an end user is shown an authentication prompt due to failed transparent user identification, and the user then fails authentication due to invalid credentials, you can choose whether to allow the user guest access.

Note When you enable re-authentication and a transaction is blocked by URL filtering, an end-user notification page appears with the option to log in as a different user. Users who click the link are prompted for authentication. For more information, see Failed Authorization: Allowing Re-Authentication with Different Credentials, page 5-33.

Understanding Transparent User Identification

The available methods of transparent user identification are:

• Transparently identify users with ISE – Available when the Identity Services Engine (ISE) service is enabled (Network > Identity Services Engine). For these transactions, the user name and associated Secure Group Tags will be obtained from an Identity Services Engine server. See Tasks for Certifying and Integrating the ISE Service, page 8-3.

• Transparently identify users with ASA – Users are identified by the current IP address-to-user name mapping received from a Cisco Adaptive Security Appliance (for remote users only). This option is available when AnyConnect Secure Mobility is enabled and integrated with an ASA. The user name will be obtained from the ASA, and associated directory groups will be obtained from the authentication realm or sequence specified on the Web Security appliance. See Remote Users, page 10-20.

• Transparently identify users with authentication realms – This option is available when one or more authentication realms are configured to support transparent identification using one of the following authentication servers:

– Active Directory – Create an NTLM or Kerberos authentication realm and enable transparent user identification. In addition, you must deploy a separate Active Directory agent such as Cisco’s Context Directory Agent. For more information, see Transparent User Identification with Active Directory, page 5-7.

– LDAP – Create an LDAP authentication realm configured as an eDirectory, and enable transparent user identification. For more information, see Transparent User Identification with LDAP, page 5-8.

AsyncOS for Web communicates at regular intervals with eDirectory or an Active Directory agent to maintain mappings that match authenticated user names to their current IP addresses.



Transparent User Identification with Active Directory

Active Directory does not record user log-in information in a format that is easily queried by other systems such as the Web Security appliance. Active Directory agents, such as Cisco’s Context Directory Agent (CDA), are necessary to query the Active Directory security event logs for information about authenticated users.

AsyncOS for Web communicates with the Active Directory agent to maintain a local copy of the IP-address-to-user-name mappings. When AsyncOS for Web needs to associate an IP address with a user name, it first checks its local copy of the mappings. If no match is found, it queries an Active Directory agent to find a match.

For more information on installing and configuring an Active Directory agent, see Setting Up an Active Directory Agent to Provide Information to the Web Security Appliance, page 5-7.

Consider the following when you identify users transparently using Active Directory:

• Transparent user identification with Active Directory works with an NTLM or Kerberos authentication scheme only. You cannot use it with an LDAP authentication realm that corresponds to an Active Directory instance.

• Transparent user identification works with the versions of Active Directory supported by an Active Directory agent.

• You can install a second instance of an Active Directory agent on a different machine to achieve high availability. When you do this, each Active Directory agent maintains IP-address-to-user-name mappings independently of the other agent. AsyncOS for Web uses the backup Active Directory agent after three unsuccessful ping attempts to the primary agent.

• The Active Directory agent uses on-demand mode when it communicates with the Web Security appliance.

• The Active Directory agent pushes user log-out information to the Web Security appliance. Occasionally, some user log-out information is not recorded in the Active Directory security logs. This can happen if the client machine crashes, or if the user shuts down the machine without logging out. If there is no user log-out information in the security logs, an Active Directory agent cannot inform the appliance that the IP address no longer is assigned to that user. To obviate this possibility, you can define how long AsyncOS caches the IP-address-to-user mappings when there are no updates from an Active Directory agent. For more information, see Using the CLI to Configure Advanced Transparent User Identification Settings, page 5-9.

• The Active Directory agent records the sAMAccountName for each user logging in from a particular IP address to ensure the user name is unique.

• The client IP addresses that the client machines present to the Active Directory server and the Web Security appliance must be the same.

• AsyncOS for Web searches only direct parent groups for a user. It does not search nested groups.

Setting Up an Active Directory Agent to Provide Information to the Web Security Appliance

Because AsyncOS for Web cannot obtain client IP addresses directly from Active Directory, it must obtain IP-address-to-user-name mapping information from an Active Directory agent.

Install an Active Directory agent on a machine in the network that is accessible to the Web Security appliance, and which can communicate with all visible Windows domain controllers. For best performance, this agent should be physically as close as possible to the Web Security appliance. In smaller network environments, you may want to install the Active Directory agent directly on the Active Directory server.



Note The Active Directory agent instance used to communicate with the Web Security appliance can also support other appliances, including Cisco’s Adaptive Security Appliance and other Web Security appliances.

Obtaining, Installing, and Configuring Cisco’s Context Directory Agent

You can find information about downloading, installing, and configuring the Cisco Context Directory Agent here: http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda10.html.

Note The Web Security appliance and Active Directory agent communicate with each other using the RADIUS protocol. The appliance and the agent must be configured with the same shared secret to obfuscate user passphrases. Other user attributes are not obfuscated.

Transparent User Identification with LDAP

AsyncOS for Web can communicate with an eDirectory server configured as a Lightweight Directory Access Protocol (LDAP) realms maintaining IP-address-to-user-name mappings. When a user logs in through an eDirectory client, the user is authenticated against the eDirectory server. When authentication succeeds, the client IP address is recorded in the eDirectory server as an attribute (NetworkAddress) of the user who logged in.

Consider the following when you identify users transparently using LDAP (eDirectory):

• The eDirectory client must be installed on each client workstation, and end users must use it to authenticate against an eDirectory server.

• The LDAP tree used by the eDirectory client log-in must be the same LDAP tree configured in the authentication realm.

• If the eDirectory clients use multiple LDAP trees, create an authentication realm for each tree, and then create an authentication sequence that uses each LDAP authentication realm.

• When you configure the LDAP authentication realm as an eDirectory, you must specify a Bind DN for the query credentials.

• The eDirectory server must be configured to update the NetworkAddress attribute of the user object when a user logs in.

• AsyncOS for Web searches only direct parent groups for a user. It does not search nested groups.

• You can use the NetworkAddress attribute for an eDirectory user to determine the most-recent log-in IP address for the user.

Rules and Guidelines for Transparent User Identification

Consider the following rules and guidelines when using transparent user identification with any authentication server:

• When using DHCP to assign IP addresses to client machines, ensure the IP-address-to-user-name mappings are updated on the Web Security appliance more frequently than the DHCP lease. Use the tuiconfig CLI command to update the mapping update interval. For more information, see Using the CLI to Configure Advanced Transparent User Identification Settings, page 5-9.

• If a user logs out of a machine and another user logs into the same machine before the IP-address-to user-name mapping is updated on the Web Security appliance, then the Web Proxy logs the client as the previous user.

http://www.cisco.com/en/US/docs/security/ibf/cda_10/Install_Config_guide/cda10.html



• You can configure how the Web Proxy handles transactions when transparent user identification fails. It can grant users guest access, or it can force an authentication prompt to appear to end users.

• When a user is shown an authentication prompt due to failed transparent user identification, and the user then fails authentication due to invalid credentials, you can choose whether to allow the user guest access.

• When the assigned Identification Profile uses an authentication sequence with multiple realms in which the user exists, AsyncOS for Web fetches the user groups from the realms in the order in which they appear in the sequence.

• When you configure an Identification Profile to transparently identify users, the authentication surrogate must be IP address. You cannot select a different surrogate type.

• When you view detailed transactions for users, the Web Tracking page shows which users were identified transparently.

• You can log which users were identified transparently in the access and WC3 logs using the %m and x-auth-mechanism custom fields. A log entry of SSO_TUI indicates that the user name was obtained by matching the client IP address to an authenticated user name using transparent user identification. (Similarly, a value of SSO_ASA indicates that the user is a remote user and the user name was obtained from a Cisco ASA using AnyConnect Secure Mobility.)

Configuring Transparent User Identification

Configuring transparent user identification and authorization is detailed in Acquire End-User Credentials, page 5-1. The basic steps are:

• Create and order authentication realms.

• Create Identification Profiles to classify users and client software.

• Create policies to manage web requests from the identified users and user groups.

Using the CLI to Configure Advanced Transparent User Identification Settings

AsyncOS for Web provides the following TUI-related CLI commands:

• tuiconfig – Configure advanced settings associated with transparent user identification. Batch mode can be used to configure multiple parameters simultaneously.

– Configure mapping timeout for Active Directory agent – Length of time, in minutes, IP-address-to-user mappings are cached for IP addresses retrieved by the AD agent when there are no updates from the agent.

– Configure proxy cache timeout for Active Directory agent – Length of time, in seconds, proxy-specific IP-address-to-user mappings are cached; valid values range from five to 1200 seconds. The default and recommended value is 120 seconds. Specifying a lower value may negatively affect proxy performance.

– Configure mapping timeout for Novell eDirectory – Length of time, in seconds, IP-address to-user mappings are cached for IP addresses retrieved from the eDirectory server when there are no updates from the server.

– Configure query wait time for Active Directory agent – The length of time, in seconds, to wait for a reply from the Active Directory agent. When the query takes more than this value, transparent user identification is considered to have failed. This limits the authentication delay experienced by the end user.


Chapter 5 Acquire End-User Credentials Authentication Realms

– Configure query wait time for Novell eDirectory – The length of time, in seconds, to wait for a reply from the eDirectory server. When the query takes more than this value, transparent user identification is considered to have failed. This limits the authentication delay experienced by the end user.

The Active Directory settings apply to all AD realms using an AD agent for transparent user identification. The eDirectory settings apply to all LDAP realms using eDirectory for transparent user identification.

If validation fails for any one parameter, none of the values will be changed.

• tuistatus – This command provides the following AD-related subcommands:

– adagentstatus – Displays the current status of all AD agents, as well as information about their connections with the Windows domain controllers.

– listlocalmappings – Lists all IP-address-to-user-name mappings stored on the Web Security appliance, as retrieved by the AD agent(s). It does not list entries stored on the agent(s), nor does it list mappings for which queries are currently in progress.

Configuring Single-Sign-on

Obtaining credentials transparently facilitates a single-sign-on environment. Transparent user identification is an authentication realm setting.

For Internet Explorer, be sure the Redirect Hostname is the short host name (containing no dots) or the NetBIOS name rather than a fully qualified domain. Alternatively, you can add the appliance host name to Internet Explorer’s Local intranet zone (Tools > Internet options > Security tab); however, this will be required on every client. For more information about this, see How do I properly set up NTLM with SSO (credentials sent transparently)?

With Firefox and other non-Microsoft browsers, the parameters network.negotiate-auth.delegation-uris, network.negotiate-auth.trusted-uris and network.automatic-ntlm-auth.trusted-uris must be set to the transparent-mode Redirect Hostname. You also can refer to Firefox is not sending authentication credentials transparently (SSO). This article provides general information about changing Firefox parameters.

For information about the Redirect Hostname, see Configuring Global Authentication Settings, or the CLI command sethostname.

Authentication RealmsAuthentication realms define the details required to contact the authentication servers and specify which authentication scheme to use when communicating with clients. AsyncOS supports multiple authentication realms. Realms can also be grouped into authentication sequences that allow users with different authentication requirements to be managed through the same policies.


• Creating an Active Directory Realm for Kerberos Authentication Scheme, page 5-11

• How to Create an Active Directory Authentication Realm (NTLMSSP and Basic), page 5-14

• Creating an LDAP Authentication Realm, page 5-16

• About Deleting Authentication Realms, page 5-21

• Configuring Global Authentication Settings, page 5-21

http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117934-technote-csc-00.html


http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118027-config-wsa-00.html


http://www.toptip.ca/2010/03/change-secret-configuration-parameters.html



Related Topics

• RADIUS User Authentication, page 22-8

• Authentication Sequences, page 5-26

External AuthenticationYou can authenticate users through an external LDAP or RADIUS server.

Configuring External Authentication through an LDAP Server

Before You Begin

• Create an LDAP authentication realm and configure it with one or more external authentication queries. Creating an LDAP Authentication Realm, page 5-16

Step 1 Enable external authentication on the appliance:

a. Navigate to System Administration > Users.

b. Click Enable in the External Authentication section.

c. Configure the options:


Enabling RADIUS External Authentication

See Enabling External Authentication Using RADIUS, page 22-9.

Creating an Active Directory Realm for Kerberos Authentication Scheme

Before You Begin

• Ensure the appliance is configured in Standard mode (not Cloud Connector Mode).

• Prepare the Active Directory Server.

Option Description

Enable External Authentication —

Authentication Type Select LDAP.

External Authentication Cache Timeout The number of seconds AsyncOS stores the external authentication credentials before contacting the LDAP server again to re-authenticate. Default is zero (0).

LDAP External Authentication Query A query configured with the LDAP realm.

Timeout to wait for valid response from server.

The number of seconds AsyncOS waits for a response to the query from the server.

Group Mapping For each group name in the directory, assign a role.



– Install Active Directory on one of these servers: Windows server 2003, 2008, 2008R2 or 2012.

– Create a user on the Active Directory server that is a member of the Domain Admins or Account Operators group.

Or

– Create a user name with the following permissions:

- Active Directory permissions Reset Password

- Validated write to servicePrincipalName

- Write account restrictions

- Write dNShost name

- Write servicePrincipalName

These are the minimal Active Directory permissions required by a user name to join an appliance to the domain and ensure its complete functioning.

– Join your client to the domain. Supported clients are Windows XP, Windows 7 and Mac OS 10.5+.

– Use the kerbtray tool from the Windows Resource Kit to verify the Kerberos ticket on the client: http://www.microsoft.com/en-us/download/details.aspx?id=17657 .

– Ticket viewer application on Mac clients is available under main menu > KeyChain Access to view the Kerberos tickets.

• Ensure you have the rights and domain information needed to join the Web Security appliance to the Active Directory domain you wish to authenticate against.

• Compare the current time on the Web Security appliance with the current time on the Active Directory server and verify that the difference is no greater than the time specified in the “Maximum tolerance for computer clock synchronization” option on the Active Directory server.

• If the Web Security appliance is managed by a Security Management appliance, be prepared to ensure that same-named authentication realms on different Web Security appliances have identical properties defined on each appliance.

• Web Security appliance configuration:

– In explicit mode, the WSA host name (CLI command sethostname) and the proxy name configured in the browser must be the same.

– In transparent mode, the WSA host name must be the same as the Redirect Hostname (see Configuring Global Authentication Settings, page 5-21). Further, the WSA host name and Redirect Hostname must be configured prior to creating a Kerberos realm.

• Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.

• Note that single sign on (SSO) must be configured on client browsers; see Configuring Single-Sign-on, page 5-10.

• To simplify use of logs, customize the access log to use the %m custom field parameter. See Customizing Access Logs, page 21-26.

Step 1 In the Cisco Web Security Appliance web interface, choose Network > Authentication.

Step 2 Click Add Realm.

Step 3 Assign a unique name to the authentication realm using only alphanumeric and space characters.

Step 4 Select Active Directory in the Authentication Protocol field.



Step 5 Enter up to three fully-qualified domain names or IP addresses for the Active Directory server(s).

Example: ntlm.example.com.

An IP address is required only if the DNS servers configured on the appliance cannot resolve the Active Directory server hostname.

When multiple authentication servers are configured in the realm, the appliance attempts to authorize with up to three authentication servers before failing to authorize the transaction within this realm.

Step 6 Join the appliance to the domain:

a. Configure the Active Directory Account:

b. Click Join Domain.

Note If you attempt to join a domain you have already joined (even if you use the same credentials), existing connections will be closed, as the Active Directory will send a new set of keys to all clients including this WSA. Affected clients will need to log off and log back in again.

c. Provide login credentials (user name and passphrase) for the account on the Active Directory, and click Create Account.

Step 7 (Optional) Configure transparent user identification.

Step 8 Configure Network Security:

Setting Description

Active Directory Domain The Active Directory serve3r domain name. Also known as a DNS Domain or realm.

NetBIOS domain name If the network uses NetBIOS, provide the domain name.

Tip If this option is not available use the setntlmsecuritymode CLI command to verify that the NTLM security mode is set to “domain.”

Computer Account Specify a location within the Active Directory domain where AsyncOS will create an Active Directory computer account, also known as a “machine trust account,” to uniquely identify the computer on the domain.

If the Active Directory environment automatically deletes computer objects at particular intervals, specify a location for the computer account that is in a container, protected from automatic deletion.

Setting Description

Enable Transparent User Identification using Active Directory agent

Enter both the server name for the machine where the primary Context Directory agent is installed and the shared secret used to access it.

(Optional) Enter the server name for the machine where a backup Context Directory agent is installed and its shared secret.

Setting Description

Client Signing Required Select this option if the Active Directory server is configured to require client signing.

With this option selected, AsyncOS uses Transport Layer Security when communicating with the Active Directory server.



Step 9 (Optional) Click Start Test. This will test the settings you have entered, ensuring they are correct before real users use them to authenticate. For details on the testing performed, see •Create additional NTLM realms to authenticate users in domains that are not trusted by existing NTLM realms., page 5-21.

Step 10 Troubleshoot any issues found during testing. See Troubleshooting Tools for Authentication Issues


What to Do Next

• Create an Identification Profile that uses the Kerberos authentication scheme. Classifying Users and Client Software, page 6-3.

How to Create an Active Directory Authentication Realm (NTLMSSP and Basic)

Prerequisites for Creating an Active Directory Authentication Realm (NTLMSSP and Basic)

• Ensure you have the rights and domain information needed to join the Web Security appliance to the Active Directory domain you wish to authenticate against.

• If you plan to use “domain” as the NTLM security mode, use only nested Active Directory groups. If Active Directory groups are not nested, use the default value, “ads”. See setntlmsecuritymode in the Command Line Interface appendix of this guide.

• Compare the current time on the Web Security appliance with the current time on the Active Directory server and verify that the difference is no greater than the time specified in the “Maximum tolerance for computer clock synchronization” option on the Active Directory server.

• If the Web Security appliance is managed by a Security Management appliance, be prepared to ensure that same-named authentication realms on different Web Security appliances have identical properties defined on each appliance.

• Be aware that once you commit the new realm, you cannot change a realm’s authentication protocol.

• The WSA needs to connect to the domain controllers for all trusted domains, and to the configured domain controllers into the NTLM realm. For authentication to work correctly, you need to open the following ports to all domain controllers on the internal domain and on the external domain:

LDAP (389 UDP and TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

End-point resolution – port mapper (135 TCP) Net Log-on fixed port

• For NTLMSSP, single sign on (SSO) can be configured on client browsers. See Configuring Single-Sign-on, page 5-10.

About Using Multiple NTLM Realms and Domains

The following rules apply in regard to using multiple NTLM realms and domains:

• You can create up to 10 NTLM authentication realms.

• The client IP addresses in one NTLM realm must not overlap with the client IP addresses in another NTLM realm.



• Each NTLM realm can join one Active Directory domain only but can authenticate users from any domains trusted by that domain. This trust applies to other domains in the same forest by default and to domains outside the forest to which at least a one way trust exists.

• Create additional NTLM realms to authenticate users in domains that are not trusted by existing NTLM realms.

Creating an Active Directory Authentication Realm (NTLMSSP and Basic)

Step 1 Choose Network > Authentication.



Step 4 Select Active Directory in the Authentication Protocol and Scheme(s) field.

Step 5 Enter up to three fully-qualified domain names or IP addresses for the Active Directory server(s).

Example: active.example.com.

An IP address is required only if the DNS servers configured on the appliance cannot resolve the Active Directory server hostname.

When multiple authentication servers are configured in the realm, the appliance attempts to authorize with up to three authentication servers before failing to authorize the transaction within this realm.

Step 6 Join the appliance to the domain:

a. Configure the Active Directory Account:

b. Click Join Domain.

Note If you attempt to join a domain you have already joined (even if you use the same credentials), existing connections will be closed, as the Active Directory will send a new set of keys to all clients including this WSA. Affected clients will need to log off and log back in again.

c. Enter the sAMAccountName user name and passphrase for an existing Active Directory user that has rights to create computer accounts in the domain.

Example: “jazzdoe” Do not use: “DOMAIN\jazzdoe” or “jazzdoe@domain”

This information is used once to establish the computer account and is not saved.

d. Click Create Account.

Setting Description

Active Directory Domain The Active Directory server domain name. Also known as a DNS Domain or realm.

NetBIOS domain name If the network uses NetBIOS, provide the domain name.

Computer Account Specify a location within the Active Directory domain where AsyncOS will create an Active Directory computer account, also known as a “machine trust account”, to uniquely identify the computer on the domain.

If the Active Directory environment automatically deletes computer objects at particular intervals, specify a location for the computer account that is in a container, protected from automatic deletion.



Step 7 (Optional) Configure transparent authentication.

Step 8 Configure Network Security:

Step 9 (Optional) Click Start Test. This will test the settings you have entered, ensuring they are correct before real users use them to authenticate.


Creating an LDAP Authentication Realm

Before You Begin

• Obtain the following information about LDAP in your organization:

– LDAP version

– Server addresses

– LDAP ports

• If the Web Security appliance is managed by a Security Management appliance, ensure that same-named authentication realms on different Web Security appliances have identical properties defined on each appliance.




Step 4 Select LDAP in the Authentication Protocol and Scheme(s) field.

Setting Description

Enable Transparent User Identification using Active Directory agent

Enter both the server name for the machine where the primary Context Directory agent is installed and the shared secret used to access it.

(Optional) Enter the server name for the machine where a backup Context Directory agent is installed and its shared secret.

Setting Description

Client Signing Required Select this option if the Active Directory server is configured to require client signing.

With this option selected, AsyncOS uses Transport Layer Security when communicating with the Active Directory server.



Step 5 Enter the LDAP authentication settings:

Setting Description

LDAP Version Choose the version of LDAP, and choose whether or not to use Secure LDAP.

The appliance supports LDAP versions 2 and 3. Secure LDAP requires LDAP version 3.

Choose whether or not this LDAP server supports Novell eDirectory to use with transparent user identification.

LDAP Server Enter the LDAP server IP address or hostname and its port number. You can specify up to three servers.

The hostname must be a fully-qualified domain name. For example, ldap.example.com. An IP address is required only if the DNS servers configured on the appliance cannot resolve the LDAP server hostname.

The default port number for Standard LDAP is 389. The default number for Secure LDAP is 636.

If the LDAP server is an Active Directory server, enter the hostname or IP address and the port of the domain controller here. Whenever possible, enter the name of the Global Catalog Server and use port 3268. However, you might want to use a local domain controller when the global catalog server is physically far away and you know you only need to authenticate users on the local domain controller.

Note: When you configure multiple authentication servers in the realm, the appliance attempts to authorize with up to three authentication servers before failing to authenticate the transaction within that realm.

LDAP Persistent Connections

(under the Advanced section)

Choose one of the following values:

• Use persistent connections (unlimited). Use existing connections. If no connections are available a new connection is opened.

• Use persistent connections. Use existing connections to service the number of requests specified. When the maximum is reached, establish a new connection to the LDAP server.

• Do not use persistent connections. Always create a new connection to the LDAP server.



User Authentication Enter values for the following fields:

Base Distinguished Name (Base DN)

The LDAP database is a tree-type directory structure and the appliance uses the Base DN to navigate to the correct location in the LDAP directory tree to begin a search. A valid Base DN filter string is composed of one or more components of the form object-value. For example dc=companyname, dc=com.

User Name Attribute


• uid, cn, and sAMAccountName. Unique identifiers in the LDAP directory that specify a username.

• custom. A custom identifier such as UserAccount.

User Filter Query

The User Filter Query is an LDAP search filter that locates the users Base DN. This is required if the user directory is in a hierarchy below the Base DN, or if the login name is not included in the user-specific component of that users Base DN.


• none. Filters any user.

• custom. Filters a particular group of users.

Query Credentials Choose whether or not the authentication server accepts anonymous queries.

If the authentication server does accept anonymous queries, choose Server Accepts Anonymous Queries.

If the authentication server does not accept anonymous queries, choose Use Bind DN and then enter the following information:

• Bind DN. The user on the external LDAP server permitted to search the LDAP directory. Typically, the bind DN should be permitted to search the entire directory.

• Passphrase. The passphrase associated with the user you enter in the Bind DN field.

The following text lists some example users for the Bind DN field:

cn=administrator,cn=Users,dc=domain,dc=com sAMAccountName=jdoe,cn=Users,dc=domain,dc=com.

If the LDAP server is an Active Directory server, you may also enter the Bind DN username as “DOMAIN\username.”

Setting Description



Step 6 (Optional) Enable Group Authorization via group object or user object and complete the settings for the chosen option accordingly:

Group Object Setting Description

Group Membership Attribute Within Group Object

Choose the LDAP attribute which lists all users that belong to this group.


• member and uniquemember. Unique identifiers in the LDAP directory that specify group members.

• custom. A custom identifier such as UserInGroup.

Attribute that Contains the Group Name

Choose the LDAP attribute which specifies the group name that can be used in the policy group configuration.


• cn. A unique identifier in the LDAP directory that specifies the name of a group.

• custom. A custom identifier such as FinanceGroup.

Query String to Determine if Object is a Group

Choose an LDAP search filter that determines if an LDAP object represents a user group.


• objectclass=groupofnames

• objectclass=groupofuniquenames

• objectclass=group

• custom. A custom filter such as objectclass=person.

Note: The query defines the set of authentication groups which can be used in policy groups.

User Object Setting Description

Group Membership Attribute Within User Object

Choose the attribute which list all the groups that this user belongs to.


• memberOf. Unique identifiers in the LDAP directory that specify user members.

• custom. A custom identifier such as UserInGroup.

Group Membership Attribute is a DN

Specify whether the group membership attribute is a distinguished name (DN) which refers to an LDAP object. For Active Directory servers, enable this option.

When this is enabled, you must configure the subsequent settings.



Step 7 (Optional) Configure external LDAP authentication for users

a. Select External Authentication Queries.

b. Identify the user accounts:.

c. (Optional) Deny login to expired accounts based on RFC 2307 account expiration LDAP attributes.

d. Provide a query to retrieve group information for users.

If a user belongs to multiple LDAP groups with different user roles, AsyncOS grants the user the permissions for the most restrictive role.

Attribute that Contains the Group Name

When the group membership attribute is a DN, this specifies the attribute that can be used as group name in policy group configurations.


• cn. A unique identifier in the LDAP directory that specifies the name of a group.

• custom. A custom identifier such as FinanceGroup.

Query String to Determine if Object is a Group

Choose an LDAP search filter that determines if an LDAP object represents a user group.


• objectclass=groupofnames

• objectclass=groupofuniquenames

• objectclass=group

• custom. A custom filter such as objectclass=person.

Note: The query defines the set of authentication groups which can be used in Web Security Manager policies.

User Object Setting Description

Base DN The Base DN to navigate to the correct location in the LDAP directory tree to begin a search.

Query String The query to return the set of authentication groups, for example:

(&(objectClass=posixAccount)(uid={u}))

or

(&(objectClass=user)(sAMAccountName={u}))

Attribute containing the user’s full name

The LDAP attribute, for example, displayName or gecos.

Base DN The Base DN to navigate to the correct location in the LDAP directory tree to begin a search.

Query String (&(objectClass=posixAccount)(uid={u}))

Attribute containing the user’s full name

gecos



Step 8 (Optional) Click Start Test. This will test the settings you have entered, ensuring they are correct before real users use them to authenticate. For details on the testing performed, see •Create additional NTLM realms to authenticate users in domains that are not trusted by existing NTLM realms., page 5-21.

Note Once you submit and commit your changes, you cannot later change a realm’s authentication protocol.


What to Do Next

• Create an Identification Profile that uses the Kerberos authentication scheme. Classifying Users and Client Software, page 6-3.

Related Topics


Using Multiple NTLM Realms and Domains

The following rules apply in regard to using multiple NTLM realms and domains:

• You can create up to 10 NTLM authentication realms.

• The client IP addresses in one NTLM realm must not overlap with the client IP addresses in another NTLM realm.

• Each NTLM realm can join one Active Directory domain only but can authenticate users from any domains trusted by that domain. This trust applies to other domains in the same forest by default and to domains outside the forest to which at least a one way trust exists.

• Create additional NTLM realms to authenticate users in domains that are not trusted by existing NTLM realms.

About Deleting Authentication RealmsDeleting an authentication realm disables associated identities, which in turn removes those identities from associated policies.

Deleting an authentication realm removes it from sequences.

Configuring Global Authentication SettingsConfigure Global Authentication Settings to apply settings to all authentication realms, independent of their authentication protocols.

The Web Proxy deployment mode affects which global authentication settings you can configure. More settings are available when it is deployed in transparent mode than in explicit forward mode.

Before You Begin

• Be familiar with the following concepts:

– Failed Authentication, page 5-28

– Failed Authorization: Allowing Re-Authentication with Different Credentials, page 5-33



Step 1 Choose Network > Authentication


Step 3 Edit the settings in the Global Authentication Settings section:.

The remaining authentication settings you can configure depends on how the Web Proxy is deployed, in transparent or explicit forward mode.

Setting Description

Action if Authentication Service Unavailable


• Permit traffic to proceed without authentication. Processing continues as if the user was authenticated.

• Block all traffic if user authentication fails. Processing is discontinued and all traffic is blocked.

Failed Authentication Handling

When you grant users guest access in an Identification Profile policy, this setting determines how the Web Proxy identifies and logs the user as a guest in the access logs.

For more information on granting users guest access, see Granting Guest Access After Failed Authentication, page 5-31.

Re-authentication

(Enable Re-Authentication Prompt If End User Blocked by URL Category or User Session Restriction)

This setting allows users to authenticate again if the user is blocked from a website due to a restrictive URL filtering policy or due to being restricted from logging into another IP address.

The user sees a block page that includes a link that allows them to enter new authentication credentials. If the user enters credentials that allow greater access, the requested page appears in the browser.

Note: This setting only applies to authenticated users who are blocked due to restrictive URL filtering policies or User Session Restrictions. It does not apply to blocked transactions by subnet with no authentication.

For more information, see Failed Authorization: Allowing Re-Authentication with Different Credentials, page 5-33.

Basic Authentication Token TTL

Controls the length of time that user credentials are stored in the cache before revalidating them with the authentication server. This includes the username and passphrase and the directory groups associated with the user.

The default value is the recommended setting. When the Surrogate Timeout setting is configured and is greater than the Basic Authentication Token TTL, then the Surrogate Timeout value takes precedence and the Web Proxy contacts the authentication server after surrogate timeout expires.



Step 4 If the Web Proxy is deployed in transparent mode, edit the settings as follows:

Setting Description

Credential Encryption This setting specifies whether or not the client sends the login credentials to the Web Proxy through an encrypted HTTPS connection.

This setting applies to both Basic and NTLMSSP authentication schemes, but it is particularly useful for Basic authentication scheme because user credentials are sent as plain text.

For more information, see Failed Authentication, page 5-28.

HTTPS Redirect Port Specify a TCP port to use for redirecting requests for authenticating users over an HTTPS connection.

This specifies through which port the client will open a connection to the Web Proxy using HTTPS. This occurs when credential encryption is enabled or when using Access Control and users are prompted to authenticate.

Redirect Hostname Enter the short hostname of the network interface on which the Web Proxy listens for incoming connections.

When you configure authentication on an appliance deployed in transparent mode, the Web Proxy uses this hostname in the redirection URL sent to clients for authenticating users.

You can enter either the following values:

• Single word hostname. You can enter the single word hostname that is DNS resolvable by the client and the Web Security appliance. This allows clients to achieve true single sign-on with Internet Explorer without additional browser side setup.Be sure to enter the single word hostname that is DNS resolvable by the client and the Web Security appliance.For example, if your clients are in domain mycompany.com and the interface on which the Web Proxy is listening has a full hostname of proxy.mycompany.com, then you should enter proxy in this field. Clients perform a lookup on proxy and they should be able to resolve proxy.mycompany.com.

• Fully qualified domain name (FQDN). You can also enter the FQDN or IP address in this field. However, if you do that and want true single sign-on for Internet Explorer and Firefox browsers, you must ensure that the FQDN or IP address is added to the client’s Trusted Sites list in the client browsers. The default value is the FQDN of the M1 or P1 interface, depending on which interface is used for proxy traffic.

Credential Cache Options:

Surrogate Timeout

This setting specifies how long the Web Proxy waits before asking the client for authentication credentials again. Until the Web Proxy asks for credentials again, it uses the value stored in the surrogate (IP address or cookie).

It is common for user agents, such as browsers, to cache the authentication credentials so the user will not be prompted to enter credentials each time.




Client IP Idle Timeout

When IP address is used as the authentication surrogate, this setting specifies how long the Web Proxy waits before asking the client for authentication credentials again when the client has been idle.

When this value is greater than the Surrogate Timeout value, this setting has no effect and clients are prompted for authentication after the Surrogate Timeout is reached.

You might want to use this setting to reduce the vulnerability of users who leave their computers.


Cache Size

Specifies the number of entries that are stored in the authentication cache. Set this value to safely accommodate the number of users that are actually using this device. The default value is the recommended setting.

User Session Restrictions

This setting specifies whether or not authenticated users are allowed to access the Internet from multiple IP addresses simultaneously.

You might want to restrict access to one machine to prevent users from sharing their authentication credentials with non-authorized users. When a user is prevented from logging in at a different machine, an end-user notification page appears. You can choose whether or not users can click a button to login as a different username using the Re-authentication setting on this page.

When you enable this setting, enter the restriction timeout value, which determines how long users must wait before being able to log into a machine with a different IP address. The restriction timeout value must be greater than the surrogate timeout value.

You can remove a specific user or all users from the authentication cache using the authcache CLI command.

Advanced When using Credential Encryption or Access Control, you can choose whether the appliance uses the digital certificate and key shipped with the appliance (the Cisco Web Security Appliance Demo Certificate) or a digital certificate and key you upload here.

Setting Description



Step 5 If the Web Proxy is deployed in explicit forward mode, edit the settings as follows:

Setting Description

Credential Encryption This setting specifies whether or not the client sends the login credentials to the Web Proxy through an encrypted HTTPS connection. To enable credential encryption, choose “HTTPS Redirect (Secure)”. When you enable credential encryption, additional fields appear to configure how to redirect clients to the Web Proxy for authentication.

This setting applies to both Basic and NTLMSSP authentication schemes, but it is particularly useful for Basic authentication scheme because user credentials are sent as plain text.

For more information, see Failed Authentication, page 5-28.

HTTPS Redirect Port Specify a TCP port to use for redirecting requests for authenticating users over an HTTPS connection.

This specifies through which port the client will open a connection to the Web Proxy using HTTPS. This occurs when credential encryption is enabled or when using Access Control and users are prompted to authenticate.

Redirect Hostname Enter the short host name of the network interface on which the Web Proxy listens for incoming connections.

When you enable Authentication Mode above, the Web Proxy uses this hostname in the redirection URL sent to clients for authenticating users.

You can enter either the following values:

• Single word hostname. You can enter the single word host name that is DNS resolvable by the client and the Web Security appliance. This allows clients to achieve true single sign-on with Internet Explorer without additional browser side setup.Be sure to enter the single word host name that is DNS resolvable by the client and the Web Security appliance.For example, if your clients are in domain mycompany.com and the interface on which the Web Proxy is listening has a full host name of proxy.mycompany.com, then you should enter proxy in this field. Clients perform a lookup on proxy and they should be able to resolve proxy.mycompany.com.

• Fully qualified domain name (FQDN). You can also enter the FQDN or IP address in this field. However, if you do that and want true single sign-on for Internet Explorer and Firefox browsers, you must ensure that the FQDN or IP address is added to the client’s Trusted Sites list in the client browsers. The default value is the FQDN of the M1 or P1 interface, depending on which interface is used for proxy traffic.


Surrogate Timeout

This setting specifies how long the Web Proxy waits before asking the client for authentication credentials again. Until the Web Proxy asks for credentials again, it uses the value stored in the surrogate (IP address or cookie).

Note that it is common for user agents, such as browsers, to cache the authentication credentials so the user will not be prompted to enter credentials each time.


Chapter 5 Acquire End-User Credentials Authentication Sequences


Authentication Sequences• About Authentication Sequences, page 5-27

• Creating Authentication Sequences, page 5-27

• Editing And Reordering Authentication Sequences, page 5-28

• Editing And Reordering Authentication Sequences, page 5-28


Client IP Idle Timeout

When IP address is used as the authentication surrogate, this setting specifies how long the Web Proxy waits before asking the client for authentication credentials again when the client has been idle.

When this value is greater than the Surrogate Timeout value, this setting has no effect and clients are prompted for authentication after the Surrogate Timeout is reached.

You might want to use this setting to reduce the vulnerability of users who leave their computers.


Cache Size

Specifies the number of entries that are stored in the authentication cache. Set this value to safely accommodate the number of users that are actually using this device. The default value is the recommended setting.

User Session Restrictions

This setting specifies whether or not authenticated users are allowed to access the Internet from multiple IP addresses simultaneously.

You might want to restrict access to one machine to prevent users from sharing their authentication credentials with non-authorized users. When a user is prevented from logging at a different machine, an end-user notification page appears. You can choose whether or not users can click a button to login as a different username using the Re-authentication setting on this page.

When you enable this setting, enter the restriction timeout value, which determines how long users must wait before being able to log into a machine with a different IP address. The restriction timeout value must be greater than the surrogate timeout value.

You can remove a specific user or all users from the authentication cache using the authcache CLI command.

Advanced When using Credential Encryption or Access Control, you can choose whether the appliance uses the digital certificate and key shipped with the appliance (the Cisco Web Security Appliance Demo Certificate) or a digital certificate and key you upload here.

To upload a digital certificate and key, click Browse and navigate to the necessary file on your local machine. Then click Upload Files after you select the files you want.

Setting Description


Chapter 5 Acquire End-User Credentials Authentication Sequences

About Authentication SequencesUse authentication sequences to allow single Identities to authenticate users via different authentication servers or protocols. Authentication sequences are also useful for providing backup options in case primary authentication options become unavailable.

Authentication sequences are collections of two or more authentication realms. The realms used can have different authentication servers and different authentication protocols. For more information on authentication realms, seeAuthentication Realms, page 5-10.

After you create a second authentication realm, the appliance automatically displays a Realm Sequences section under Network > Authentication and includes a default authentication sequence named All Realms. The All Realms sequence automatically includes each realm you define. You can change the order of the realms within the All Realms sequence, but you cannot delete the All Realms sequence or remove any realms from it.

When multiple NTLM authentication realms are defined, the Web Security appliance uses the NTLMSSP authentication scheme with only one NTLM authentication realm per sequence. You can choose which NTLM authentication realm to use for NTLMSSP within each sequence, including the All Realms sequence. To use NTLMSSP with multiple NTLM realms, define a separate Identification Profile for each realm.

Which authentication realms within a sequence get used during authentication depends on:

• The authentication scheme used. This is generally dictated by the type of credentials entered at the client.

• The order in which realms are listed within the sequence (for Basic realms only, as only one NTLMSSP realm is possible).

Tip For optimal performance, authenticate clients on the same subnet using a single realm.

Creating Authentication Sequences

Before You Begin

• Create two or more authentication realms (see Authentication Realms, page 5-10).

• If the Web Security appliance is managed by a Security Management appliance, ensure that same-named authentication realms on different Web Security appliances have identical properties defined on each appliance.

• Be aware that AsyncOS will use the realms to process authentication sequentially, beginning with the first realm in the list.

Step 1 Choose Network > Authentication

Step 2 Click Add Sequence.

Step 3 Enter a unique name for the sequence using alphanumeric and space characters.

Step 4 In the first row of the Realm Sequence for Basic Scheme area, choose the first authentication realm you want to include in the sequence.

Step 5 In the second row of the Realm Sequence for Basic Scheme area, choose the next realm you want to include in the sequence.

Step 6 (Optional) Click Add Row to include another realm that uses Basic credentials.


Chapter 5 Acquire End-User Credentials Failed Authentication

Step 7 If an NTLM realm is defined, choose an NTLM realm in the Realm for NTLMSSP Scheme field.

The Web Proxy uses this NTLM realm when the client sends NTLMSSP authentication credentials.


Editing And Reordering Authentication Sequences


Step 2 Click the name of the sequence you wish to edit or re-order.

Step 3 Choose a realm name from the Realms drop-down list on the row corresponding to the position number you want the realm to occupy in the sequence.

Note For the All Realms sequence, you can only change the order of its realms, you cannot change the realms themselves. To change the order of realms in the All Realms sequence, click the arrows in the Order column to reposition the corresponding realms.

Step 4 Repeat Step 3 until all realms are listed and ordered as required, ensuring that each realm name appears in one row only.


Deleting Authentication Sequences

Before You Begin

• Be aware that deleting an authentication sequence also disables associated identities, which in turn removes those identities from associated policies.


Step 2 Click the trash can icon for the sequence name.

Step 3 Click Delete to confirm that you want to delete the sequence.


Failed Authentication• About Failed Authentication, page 5-29

• Bypassing Authentication with Problematic User Agents, page 5-29

• Bypassing Authentication, page 5-31

• Permitting Unauthenticated Traffic While Authentication Service is Unavailable, page 5-31




• Failed Authorization: Allowing Re-Authentication with Different Credentials, page 5-33

About Failed AuthenticationUsers may be blocked from the web due to authentication failure for the following reasons:

• Client/user agent limitations. Some client applications may not properly support authentication. You can bypass authentication for these clients by configuring Identification Profiles that do not require authorization and basing their criteria on the clients (and, optionally, on the URLs they need to access).

• Authentication service is unavailable. An authentication service might be unavailable due to network or server issues. You can choose to allow unauthenticated traffic in this circumstance.

• Invalid credentials. Some users may be unable to supply valid credentials for proper authentication (for example, visitors or users awaiting credentials). You can choose to grant these users limited access to the web.

Related Topics

• Bypassing Authentication with Problematic User Agents, page 5-29


• Permitting Unauthenticated Traffic While Authentication Service is Unavailable, page 5-31


Bypassing Authentication with Problematic User Agents Some user agents are known to have authentication issues that can impact normal operations.

You should bypass authentication via the following user agents:

• Windows-Update-Agent

• MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT

• Microsoft BITS

• SLSSoapClient

• Akamai NetSession Interface

• Microsoft-CryptoAPI

• NCSI

• MSDW

• Gnotify

• msde

• Google Update

Note The access policies will still filter (based on URL categories) and scan (McAfee, Webroot) traffic as per the access policy setup.



Step 1 Configure the Identification Profile to bypass authentication with the specified user agents:

a. Select Web Security Manager > Identification Profile.

b. Click Add Identification Profile.

c. Enter information:

d. Click Advanced > User Agents.

e. Click None Selected.

f. Under Custom user Agents, specify the problematic User Agent strings.

Step 2 Configure the Access Policy:

a. Choose Web Security Manager > Access Policies.

b. Click Add Policy.

c. Enter information:


Option Value

Name User Agent AuthExempt Identification Profile

Insert Above Set to the first profile in the processing order

Define Members by Subnet Leave blank.

Define Members by Authentication No Authentication Required.

Option Value

Policy Name Auth Exemption for User Agents

Insert Above Policy Set to the first policy in the processing order.

Identification Profile Policy User Agent AuthExempt Identification Profile

Advanced None



Bypassing Authentication

Related Topics

• Bypassing the Web Proxy

Permitting Unauthenticated Traffic While Authentication Service is Unavailable

Note This configuration applies only when an authentication service is unavailable. It will not bypass authentication permanently. For alternative options, see About Failed Authentication, page 5-29



Step 3 Click the Permit Traffic To Proceed Without Authentication in the Action If Authentication Service Unavailable field.


Granting Guest Access After Failed AuthenticationGranting guest access requires that the following procedures are completed:

1. Define an Identification Profile that Supports Guest Access, page 5-32

2. Use an Identification Profile that Supports Guest Access in a Policy, page 5-32

3. (Optional) Configure How Guest User Details are Logged, page 5-32

Note If an Identification Profile allows guest access and there is no user-defined policy that uses that Identification Profile, users who fail authentication match the global policy of the applicable policy type. For example, if MyIdentificationProfile allows guest access and there is no user-defined Access Policy

Step More Information

1. Create a custom URL category that contains the affected websites by configuring the Advanced properties.

Creating and Editing Custom URL Categories, page 9-14

2. Create an Identification Profile with these characteristics:

– Placed above all identities that require authentication.

– Includes the custom URL category.

– Includes affected client applications.

– Does not require authentication

Classifying Users and Client Software, page 6-3

3. Create a policy for the Identification Profile. Creating a Policy, page 10-7



that uses MyIdentificationProfile, users who fail authentication match the global Access Policy. If you do not want guest users to match a global policy, create a policy above the global policy that applies to guest users and blocks all access.

Define an Identification Profile that Supports Guest Access

Step 1 Choose Web Security Manager > Identification Profiles.

Step 2 Click Add Identification Profile to add a new identity, or click the name of an existing identity that you wish to use.

Step 3 Check the Support Guest Privileges check box.


Use an Identification Profile that Supports Guest Access in a Policy

Step 1 Choose a policy type from the Web Security Manager menu.

Step 2 Click a policy name in the policies table.

Step 3 Choose Select One Or More Identification Profiles from the Identification Profiles And Users drop-down list (if not already chosen).

Step 4 Choose a profile that supports guest access from the drop-down list in the Identification Profile column.

Step 5 Click the Guests (Users Failing Authentication) radio button.

Note If this option is not available it means the profile you chose is not configured to support guest access. Return to step 4 and choose another, or see Define an Identification Profile that Supports Guest Access, page 5-32 to define a new one.


Configure How Guest User Details are Logged



Step 3 Click a Log Guest User By radio button, described below, in the Failed Authentication Handling field.

Radio button Description

IP Address The IP address of the guest user’s client will be logged in the access logs.

User Name As Entered By End-User

The user name that originally failed authentication will be logged in the access logs.




Failed Authorization: Allowing Re-Authentication with Different Credentials• About Allowing Re-Authentication with Different Credentials, page 5-33

• Allowing Re-Authentication with Different Credentials, page 5-33

About Allowing Re-Authentication with Different Credentials

Use re-authentication to allow users the opportunity to authenticate again, using different credentials, if the credentials they previously used have failed authorization. A user may authenticate successfully but still be prevented from accessing a web resource if not authorized to do so. This is because authentication merely identifies users for the purpose of passing their verified credentials on to policies, but it is the policies that authorize those users (or not) to access resources.

A user must have authenticated successfully to be allowed to re-authenticate.

• To use the re-authentication feature with user defined end-user notification pages, the CGI script that parses the redirect URL must parse and use the Reauth_URL parameter.

Allowing Re-Authentication with Different Credentials



Step 3 Check the Re-Authentication Prompt If End User Blocked by URL Category Or User Session Restriction check box.

Step 4 Click Submit.

Tracking Identified Users

Note When the appliance is configured to use cookie-based authentication surrogates, it does not get cookie information from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name from the cookie.



Supported Authentication Surrogates for Explicit Requests

Supported Authentication Surrogates for Transparent Requests

Note See also the description of the Authentication Surrogates options in Classifying Users and Client Software, page 6-3.

* Works after the client makes a request to an HTTP site and is authenticated. Before this happens, the behavior depends on the transaction type:

• Native FTP transactions. Transactions bypass authentication.

• HTTPS transactions. Transactions are dropped. However, you can configure the HTTPS Proxy to decrypt the first HTTPS request for authentication purposes.

** When cookie-based authentication is used, the Web Proxy cannot authenticate the user for HTTPS, native FTP, and FTP over HTTP transactions. Due to this limitation, all HTTPS, native FTP, and FTP over HTTP requests bypass authentication, so authentication is not requested at all.

*** No surrogate is used in this case even though cookie-based surrogate is configured.

Related Topics

• Identification Profiles and Authentication, page 6-8

Tracking Re-Authenticated Users

With re-authentication, if a more privileged user authenticates and is authorized, the Web Proxy caches this user identity for different amounts of time depending on the authentication surrogates configured:

• Session cookie. The privileged user identity is used until the browser is closed or the session times out.

Surrogate Types Credential Encryption Disabled Credential Encryption Enabled

Protocol: HTTP HTTPS &

FTP over HTTP

Native FTP HTTP HTTPS &

FTP over HTTP

Native FTP

No Surrogate Yes Yes Yes NA NA NA

IP-based Yes Yes Yes Yes Yes Yes

Cookie-based Yes Yes*** Yes*** Yes No/Yes** Yes***

Surrogate Types Credential Encryption Disabled Credential Encryption Enabled

Protocol: HTTP HTTPS Native FTP HTTP HTTPS Native FTP

No Surrogate NA NA NA NA NA NA

IP-based Yes No/Yes* No/Yes* Yes No/Yes* No/Yes*

Cookie-based Yes No/Yes** No/Yes** Yes No/Yes** No/Yes**


Chapter 5 Acquire End-User Credentials Credentials

• Persistent cookie. The privileged user identity is used until the surrogate times out.

• IP address. The privileged user identity is used until the surrogate times out.

• No surrogate. By default, the Web Proxy requests authentication for every new connection, but when re-authentication is enabled, the Web Proxy requests authentication for every new request, so there is an increased load on the authentication server when using NTLMSSP. The increase in authentication activity may not be apparent to a user, however, because most browsers will cache the privileged user credentials and authenticate without prompting until the browser is closed. Also, when the Web Proxy is deployed in transparent mode, and the “Apply same surrogate settings to explicit forward requests” option is not enabled, no authentication surrogates are used for explicit forward requests and increased load will occur with re-authentication.

Note If the Web Security appliance uses cookies for authentication surrogates, Cisco recommends enabling credential encryption.

CredentialsAuthentication credentials are obtained from users by either prompting them to enter their credentials through their browsers, or another client application, or by obtaining the credentials transparently from another source.

• Tracking Credentials for Reuse During a Session, page 5-35

• Authentication and Authorization Failures, page 5-36

• Credential Format, page 5-36

• Credential Encryption for Basic Authentication, page 5-36

Tracking Credentials for Reuse During a SessionUsing authentication surrogates, after a user authenticates once during a session, you can track credentials for reuse throughout that session rather than having the user authenticate for each new request. Authentication surrogates may be based on the IP address of the user’s workstation or on a cookie that is assigned to the session.

For Internet Explorer, be sure the Redirect Hostname is the short host name (containing no dots) or the NetBIOS name rather than a fully qualified domain. Alternatively, you can add the appliance host name to Internet Explorer’s Local intranet zone (Tools > Internet options > Security tab); however, this will be required on every client. For more information about this, see How do I properly set up NTLM with SSO (credentials sent transparently)?

With Firefox and other non-Microsoft browsers, the parameters network.negotiate-auth.delegation-uris, network.negotiate-auth.trusted-uris and network.automatic-ntlm-auth.trusted-uris must be set to the transparent-mode Redirect Hostname. You also can refer to Firefox is not sending authentication credentials transparently (SSO). This article provides general information about changing Firefox parameters.

For information about the Redirect Hostname, see Configuring Global Authentication Settings, or the CLI command sethostname.





http://www.toptip.ca/2010/03/change-secret-configuration-parameters.html


Chapter 5 Acquire End-User Credentials Credentials

Authentication and Authorization FailuresIf authentication fails for accepted reasons, such as incompatible client applications, you can grant guest access.

If authentication succeeds but authorization fails, it is possible to allow re-authentication using a different set of credentials that may be authorized to access the requested resource.

Related Topics


• Allowing Re-Authentication with Different Credentials, page 5-33

Credential Format

Credential Encryption for Basic Authentication

About Credential Encryption for Basic Authentication

Enable credential encryption to transmit credentials over HTTPS in encrypted form. This increases security of the basic authentication process.

The Web Security appliance uses its own certificate and private key by default to create an HTTPS connection with the client for the purposes of secure authentication. Most browsers will warn users, however, that this certificate is not valid. To prevent users from seeing the invalid certificate message, you can upload a valid certificate and key pair that your organization uses.

Configuring Credential Encryption

Before You Begin:

• Configure the appliance to use IP surrogates.

• (Optional) Obtain a certificate and unencrypted private key. The certificate and key configured here are also used by Access Control.



Step 3 Check the Use Encrypted HTTPS Connection For Authentication check box in the Credential Encryption field.

Authentication Scheme Credential Format

NTLMSSP MyDomain\jsmith

Basic jsmith

MyDomain\jsmith

Note If the user does not enter the Windows domain, the Web Proxy prepends the default Windows domain.


Chapter 5 Acquire End-User Credentials Troubleshooting Authentication

Step 4 (Optional) Edit the default port number (443) in the HTTPS Redirect Port field for client HTTP connections during authentication.

Step 5 (Optional) Upload a certificate and key:

a. Expand the Advanced section.

b. Click Browse in the Certificate field and find the certificate file you wish to upload.

c. Click Browse in the Key field and find the private key file you wish to upload.

d. Click Upload Files.


Related Topics

• Certificate Management, page 22-25.

Troubleshooting Authentication• LDAP User Fails Authentication due to NTLMSSP, page A-3

• LDAP Authentication Fails due to LDAP Referral, page A-3

• Basic Authentication Fails, page A-3

• Users Erroneously Prompted for Credentials, page A-4


• Cannot Access URLs that Do Not Support Authentication, page A-21

• Client Requests Fail Upstream Proxy, page A-22


Chapter 5 Acquire End-User Credentials Troubleshooting Authentication

C H A P T E R


6Classify End-Users and Client Software

• Overview of Classify Users and Client Software, page 6-1

• Classify Users and Client Software: Best Practices, page 6-2

• Identification Profile Criteria, page 6-2

• Classifying Users and Client Software, page 6-3

• Identification Profiles and Authentication, page 6-8

• Troubleshooting Identification Profiles, page 6-10

Overview of Classify Users and Client SoftwareIdentification Profiles let you classify users and user agents (client software) for these purposes:

• Group transaction requests for the application of policies (except SaaS)

• Specification of identification and authentication requirements

AsyncOS assigns an Identification Profile to every transaction:

• Custom Identification Profiles — AsyncOS assigns a custom profile based on that identity’s criteria.

• The Global Identification Profile — AsyncOS assigns the global profile to transactions that do not meet the criteria for any custom profile. By default, the global profile does not require authentication.

AsyncOS processes Identification Profiles sequentially, beginning with the first. The global profile is the last profile.

An Identification Profile may include only one criterion. Alternately, Identification Profiles that include multiple criteria require that all the criteria are met.


Chapter 6 Classify End-Users and Client Software Classify Users and Client Software: Best Practices

One policy may call on multiple Identification Profiles:

Classify Users and Client Software: Best Practices• Create fewer, more general Identification Profiles that apply to all users or fewer, larger groups of

users. Use policies, rather than profiles, for more granular management.

• Create Identification Profiles with unique criteria.

• If deployed in transparent mode, create an Identification Profile for sites that do not support authentication. See Bypassing Authentication, page 5-31.

Identification Profile CriteriaThese transaction characteristics are available to define an Identification Profile:

This Identification Profile uses an authentication sequence and this policy applies to one realm in the sequence.

Authentication is not used for this Identification Profile.

This Identification Profile allows guest access and applies to users who fail authentication.

The specified user groups in this Identification Profile are authorized for this policy.

Option Description

Subnet The client subnet must match the list of subnets in a policy.

Protocol The protocol used in the transaction: HTTP, HTTPS, SOCKS, or native FTP.

Port The proxy port of the request must be in the Identification Profile’s list of ports, if any are listed. For explicit forward connections, this is the port configured in the browser. For transparent connections, this is the same as the destination port.


Chapter 6 Classify End-Users and Client Software Classifying Users and Client Software

Classifying Users and Client Software Before You Begin

• Create authentication realms. See How to Create an Active Directory Authentication Realm (NTLMSSP and Basic), page 5-14 or Creating an LDAP Authentication Realm, page 5-16.

• Be aware that when you commit changes to Identification Profiles, end-users must re-authenticate.

• If you are in Cloud Connector mode, be aware that an additional Identification Profile option is available: Machine ID. See Identifying Machines for Policy Application, page 3-7.

• (Optional) Create authentication sequences. See Creating Authentication Sequences, page 5-27

• (Optional) Enable Secure Mobility if the Identification Profile will include mobile users.

• (Optional) Understand authentication surrogates. See Tracking Identified Users, page 5-33.


Step 2 Click Add Profile to add a profile.

Step 3 Use the Enable Identification Profile check box to enable this profile, or to quickly disable it without deleting it.

Step 4 Assign a unique profile Name.

Step 5 A Description is optional.

Step 6 From the Insert Above drop-down list, choose where this profile is to appear in the table.

Note Position Identification Profiles that do not require authentication above the first Identification Profile that requires authentication.

Step 7 In the User Identification Method section, choose an identification method and then supply related parameters; displayed options vary according to the method chosen.

User Agent The user agent (client application) making the request must be in the Identification Profile’s list of user agents, if any are listed. Some user agents cannot handle authentication, therefore creating an profile that does not require authentication is necessary. User agents include programs such as updaters and browsers, such as Internet Explorer and Mozilla Firefox.

URL Category The URL category of the request URL must be in the Identification Profile’s list of URL categories, if any are listed.

Authentication requirements

If the Identification Profile requires authentication, the client authentication credentials must match the Identification Profile’s authentication requirements.

Option Description



There are three types of methods: exempt from authentication/identification, authenticate users, and three ways to transparently identify users: ISE, ASA (via AnyConnect Secure Mobility), or an appropriately configured authentication realm. The latter includes either an Active Directory realm, or an LDAP realm configured as a Novell eDirectory.

a. Choose an identification method from the User Identification Method drop-down list.

Note When at least one Identification Profile with authentication or transparent identification is configured, the policy tables will support defining policy membership using user names, directory groups, and Secure Group Tags.

b. Supply parameters appropriate to the chosen method. Not all of the sections described in this table are visible for each choice.

Option Description

Exempt from authentication/ identification

Users are identified primarily by IP address. No additional parameters are required.

Authenticate users Users are identified by the authentication credentials they enter.

Transparently identify users with ISE

Available when the ISE service is enabled (Network > Identity Services Engine). For these transactions, the user name and associated Secure Group Tags will be obtained from the Identity Services Engine. For more information, see Tasks for Certifying and Integrating the ISE Service, page 8-3.

Transparently identify users with ASA

Users are identified by the current IP address-to-user name mapping received from a Cisco Adaptive Security Appliance (for remote users only). This option appears when Secure Mobility is enabled and integrated with an ASA. The user name will be obtained from the ASA, and associated directory groups will be obtained from the selected authentication realm or sequence.

Transparently identify users with authentication realm

This option is available when one or more authentication realms are configured to support transparent identification.

Fallback to Authentication Realm or Guest Privileges

If user authentication is not available from ISE:

• Support Guest Privileges – The transaction will be allowed to continue, and will match subsequent policies for Guest users from all Identification Profiles.

• Block Transactions – Do not allow Internet access to users who cannot be identified by ISE.

• Support Guest privileges – Check this box to grant guest access to users who fail authentication due to invalid credentials.



Authentication Realm Select a Realm or Sequence – choose a defined authentication realm or sequence.

Select a Scheme – Choose an authentication scheme:

• Kerberos – The client is transparently authenticated by means of Kerberos tickets.

• Basic – The client always prompts users for credentials. After the user enters credentials, browsers typically offer a check box to remember the provided credentials. Each time the user opens the browser, the client either prompts for credentials or resends the previously saved credentials.

Credentials are sent unsecured as clear text (Base64). A packet capture between the client and Web Security appliance can reveal the user name and passphrase.

• NTLMSSP – The client transparently authenticates using its Windows login credentials. The user is not prompted for credentials.

However, the client prompts the user for credentials under the following circumstances:

– The Windows credentials failed.

– The client does not trust the Web Security appliance because of browser security settings.

Credentials are sent securely using a three-way handshake (digest style authentication). The passphrase is never sent across the connection.

• Support Guest privileges – Check this box to grant guest access to users who fail authentication due to invalid credentials.

Realm for Group Authentication

• Select a Realm or Sequence – Choose a defined authentication realm or sequence.



Step 8 In the Membership Definition section, supply membership parameters appropriate to the chosen identification method. Note that all of the options described in this table are not available to every User Identification Method.

Authentication Surrogates Specify how transactions will be associated with a user after successful authentication (options vary depending on Web Proxy deployment mode):

• IP Address – The Web Proxy tracks an authenticated user at a particular IP address. For transparent user identification, select this option.

• Persistent Cookie – The Web Proxy tracks an authenticated user on a particular application by generating a persistent cookie for each user per application. Closing the application does not remove the cookie.

• Session Cookie – The Web Proxy tracks an authenticated user on a particular application by generating a session cookie for each user per domain per application. (However, when a user provides different credentials for the same domain from the same application, the cookie is overwritten.) Closing the application removes the cookie.

• No Surrogate – The Web Proxy does not use a surrogate to cache the credentials, and it tracks an authenticated user for every new TCP connection. When you choose this option, the web interface disables other settings that no longer apply. This option is available only in explicit forward mode and when you disable credential encryption on the Network > Authentication page.

• Apply same surrogate settings to explicit forward requests – Check to apply the surrogate used for transparent requests to explicit requests; enables credential encryption automatically. This option appears only when the Web Proxy is deployed in transparent mode.

Note You can define a timeout valve for the authentication surrogate for all requests in Global Authentication Settings.

Membership Definition

Define Members by User Location

Configure this Identification Profile to apply to: Local Users Only, Remote Users Only, or Both. This selection affects the available authentication settings for this Identification Profile.

Define Members by Subnet Enter the addresses to which this Identification Profile should apply. You can use IP addresses, CIDR blocks, and subnets.

Note If nothing is entered, the Identification Profile applies to all IP addresses.

Define Members by Protocol Select the protocols to which this Identification Profile should apply; select all that apply:

• HTTP/HTTPS – Applies to all requests that use HTTP or HTTPS as the underlying protocol, including FTP over HTTP, and any other protocol tunneled using HTTP CONNECT.

• Native FTP – Applies to native FTP requests only.

• SOCKS – Applies to SOCKS Policies only




Define Members by Machine ID

• Do Not Use Machine ID in This Policy – The user is not identified by machine ID.

• Define User Authentication Policy Based on Machine ID – The user is identified primarily by machine ID.

Click the Machine Groups area to display the Authorized Machine Groups page.

For each group you want to add, in the Directory Search field, start typing the name of the group to add and then click Add. You can select a group and click Remove to remove it from the list.

Click Done to return to the previous page.

Click the Machine IDs area to display the Authorized Machines page.

In the Authorized Machines, field, enter the machine IDs to associate with the policy then click Done.

Note Authentication using Machine ID is supported only in Connector mode and requires Active Directory.

Advanced Expand this section to define additional membership requirements.

• Proxy Ports – Specify one or more proxy ports used to access the Web Proxy. Enter port numbers separated by commas. For explicit forward connections, the proxy port is configured in the browser.

For transparent connections, this is the same as the destination port.

Defining identities by port works best when the appliance is deployed in explicit forward mode, or when clients explicitly forward requests to the appliance. Defining identities by port when client requests are transparently redirected to the appliance may result in some requests being denied.

• URL Categories – Select user-defined or predefined URL categories. Membership for both is excluded by default, meaning the Web Proxy ignores all categories unless they are selected in the Add column.

If you need to define membership by URL category, only define it in the Identity group when you need to exempt from authentication requests to that category.

• User Agents – Defines policy group membership by the user agents found in the client request. You can select some commonly defined agents, or define your own using regular expressions.

Also specify whether these user-agent specifications are inclusive or exclusive. In other words, whether membership definition includes only the selected user agents, or specifically excludes the selected user agents


Chapter 6 Classify End-Users and Client Software Identification Profiles and Authentication

Related Topics

• Overview of Acquire End-User Credentials, page 5-1

• Managing Web Requests Through Policies Task Overview, page 10-3

Enable/Disable an Identity Before You Begin

• Be aware that disabling an Identification Profile removes it from associated policies.

• Be aware that re-enabling an Identification Profile does not re-associate it with any policies.


Step 2 Click a profile in the Identification Profiles table to open the Identification Profile page for that profile.

Step 3 Check or clear Enable Identification Profile immediately under Client/User Identification Profile Settings.


Identification Profiles and Authentication The following diagram shows how the Web Proxy evaluates a client request against an Identification Profile when the Identification Profiles is configured to use:

• No authentication surrogates

• IP addresses as authentication surrogates

• Cookies as authentication surrogates with transparent requests

• Cookies as authentication surrogates with explicit requests and credential encryption is enabled


Chapter 6 Classify End-Users and Client Software Identification Profiles and Authentication

Figure 6-1 Identification Profiles and Authentication Processing – No Surrogates and

IP-based Surrogates


Chapter 6 Classify End-Users and Client Software Troubleshooting Identification Profiles

The following diagram shows how the Web Proxy evaluates a client request against an Identification Profile when the Identification Profile is configured to use cookies as the authentication surrogates, credential encryption is enabled, and the request is explicitly forwarded.

Figure 6-2 Identification Profiles and Authentication Processing – Cookie-based Surrogates

Troubleshooting Identification Profiles• Basic Authentication Problems, page A-3



• Policy Problems, page A-14

• Policy is Never Applied, page A-16

• Policy Troubleshooting Tool: Policy Trace, page A-17

• Upstream Proxy Problems, page A-22



C H A P T E R


7SaaS Access Control

• Overview of SaaS Access Control, page 7-1

• Configuring the Appliance as an Identity Provider, page 7-2

• Using SaaS Access Control and Multiple Appliances, page 7-4

• Creating SaaS Application Authentication Policies, page 7-4

• Configuring End-user Access to the Single Sign-on URL, page 7-6

Overview of SaaS Access ControlThe Web Security appliance uses the Security Assertion Markup Language (SAML) to authorize access to SaaS applications. It works with SaaS applications that are strictly compliant with SAML version 2.0.

Cisco SaaS Access Control allows you to:

• Control which users can access SaaS applications and from where.

• Quickly disable access to all SaaS applications when users are no longer employed by the organization.

• Reduce the risk of phishing attacks that ask users to enter their SaaS user credentials.

• Choose whether users are transparently signed in (single sign-on functionality) or prompted to enter their authentication user name and pass phrase.

SaaS Access Control only works with SaaS applications that require an authentication mechanism that is supported by the Web Security appliance. Currently, the Web Proxy uses the “PasswordProtectedTransport” authentication mechanism.

To enable SaaS Access Control, you must configure settings on both the Web Security appliance and the SaaS application:

Step 1 Configure the Web Security appliance as an identity provider.

Configuring the Appliance as an Identity Provider, page 7-2

Step 2 Create an authentication policy for the SaaS application.

Creating SaaS Application Authentication Policies, page 7-4

Step 3 Configure the SaaS application for single sign-on.

Configuring End-user Access to the Single Sign-on URL, page 7-6

Step 4 (Optional) Configue multiple Web Security appliances.

Using SaaS Access Control and Multiple Appliances, page 7-4


Chapter 7 SaaS Access Control Configuring the Appliance as an Identity Provider

Configuring the Appliance as an Identity ProviderWhen you configure the Web Security appliance as an identity provider, the settings you define apply to all SaaS applications it communicates with. The Web Security appliance uses a certificate and key to sign each SAML assertion it creates.

Before You Begin

• (Optional) Locate a certificate (PEM format) and key for signing SAML assertions.

• Upload the certificate to each SaaS application.

Step 1 Choose Network > Identity Provider for SaaS.


Step 3 Check Enable SaaS Single Sign-on Service.

Step 4 Enter a virtual domain name in the Identity Provider Domain Name field.

Step 5 Enter a unique text identifier in the Identity Provider Entity ID field (a URI formatted string is recommended).

Step 6 Either upload or generate a certificate and key:


Chapter 7 SaaS Access Control Configuring the Appliance as an Identity Provider

Note If the appliance has both an uploaded certificate and key pair and a generated certificate and key pair, it only uses the certificate and key pair currently selected in the Signing Certificate section.

Step 7 Make note of the settings when you configure the appliance as an identity provider. Some of these settings must be used when configuring the SaaS application for single sign-on.


Next Steps

• After specifying the certificate and key to use for signing SAML assertions, upload the certificate to each SaaS application.

Related Topics

• Configuring End-user Access to the Single Sign-on URL, page 7-6

Method Additional Steps

Upload a certificate and key

1. Select Use Uploaded Certificate and Key.

2. In the Certificate field, click Browse; locate the file to upload.

Note The Web Proxy uses the first certificate or key in the file. The certificate file must be in PEM format. DER format is not supported.

3. In the Key field, click Browse; locate the file to upload.

If the key is encrypted, select Key is Encrypted.

Note The key length must be 512, 1024, or 2048 bits. The private key file must be in PEM format. DER format is not supported.

4. Click Upload Files.

5. Click Download Certificate to download a copy of the certificate for transfer to the SaaS applications with which the Web Security appliance will communicate.

Generate a certificate and key

1. Select Use Generated Certificate and Key.

2. Click Generate New Certificate and Key.

a. In the Generate Certificate and Key dialog box, enter the information to display in the signing certificate.

Note You can enter any ASCII character except the forward slash ( / ) in the Common Name field.

b. Click Generate.

3. Click Download Certificate to transfer the certificate to the SaaS applications with which the Web Security appliance will communicate.

4. (Optional) To use a signed certificate, click the Download Certificate Signing Request (DCSR) link to submit a request to a certificate authority (CA). After you receive a signed certificate from the CA, click Browse and navigate to the signed certificate location. Click Upload File.


Chapter 7 SaaS Access Control Using SaaS Access Control and Multiple Appliances

Using SaaS Access Control and Multiple AppliancesBefore You Begin

• Configure the Appliance as an Identity Provider, page 15-2

Step 1 Configure the same Identity Provider Domain Name for each Web Security appliance.

Step 2 Configure the same Identity Provider Entity ID for each Web Security appliance.

Step 3 Upload the same certificate and private key to each appliance on the Network > Identity Provider for SaaS page.

Step 4 Upload this certificate to each SaaS application you configure.

Creating SaaS Application Authentication PoliciesBefore You Begin

• Create associated identities.

• Configure Identity Provider, see Configuring the Appliance as an Identity Provider, page 7-2.

• Provide an Identity Provider Signing Certificate and Key: Network > Identity Provider for SaaS > Enable and Edit Settings.

• Create an Authentication Realm, Authentication Realms, page 5-10.

Step 1 Choose Web Security Manager > SaaS Policies.

Step 2 Click Add Application.

Step 3 Configure the settings:


Application Name Enter a name to identify the SaaS application for this policy; each application name must be unique. The Web Security appliance uses the application name to generate a single sign-on URL.

Description (Optional) Enter a description for this SaaS policy.


Chapter 7 SaaS Access Control Creating SaaS Application Authentication Policies

Metadata for Service Provider

Configure the metadata that describes the service provider referenced in this policy. You can either describe the service provider properties manually or upload a metadata file provided by the SaaS application.

The Web Security appliance uses the metadata to determine how to communicate with the SaaS application (service provider) using SAML. Contact the SaaS application to learn the correct settings to configure the metadata.

Configure Keys Manually – If you select this option, provide the following:

• Service Provider Entity ID. Enter the text (typically in URI format) the SaaS application uses to identify itself as a service provider.

• Name ID Format. Choose from the drop-down list the format the appliance should use to identify users in the SAML assertion it sends to service providers. The value you enter here must match the corresponding setting configured on the SaaS application.

• Assertion Consumer Service URL. Enter the URL to which the Web Security appliance is to send the SAML assertion it creates. Read the SaaS application documentation to determine the correct URL to use (also known as the login URL).

Import File from Hard Disk – If you select this option, click Browse, locate the file, and then click Import.

Note This metadata file is an XML document, following the SAML standard, that describes a service provider instance. Not all SaaS applications use metadata files, but for those that do, contact the SaaS application provider for the file.

User Identification / Authentication for SaaS SSO

Specify how users are identified/authenticated for SaaS single sign-on:

• Always prompt users for their local authentication credentials.

• Prompt users for their local authentication credentials if the Web Proxy obtained their user names transparently.

• Automatically sign in SaaS users using their local authentication credentials.

Choose the authentication realm or sequence the Web Proxy should use to authenticate users accessing this SaaS application. Users must be a member of the authentication realm or authentication sequence to successfully access the SaaS application. If an Identity Services Engine is used for authentication, and LDAP was selected, the realm will be used for the SAML user names and attribute mapping.



Chapter 7 SaaS Access Control Configuring End-user Access to the Single Sign-on URL


What to Do Next

• Set up the single sign-on settings on the SaaS application side, using the same parameters to configure the application.

Configuring End-user Access to the Single Sign-on URLAfter you configure the Web Security appliance as an identity provider and create a SaaS Application Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL). The Web Security appliance uses the application name configured in the SaaS Application Authentication Policy to generate the single sign-on URL; the SSO URL format is:

http://IdentityProviderDomainName/SSOURL/ApplicationName

Step 1 Obtain the single sign-on URL from the Web Security Manager > SaaS Policies page.

Step 2 Make the URL available to end-users depending on which flow type.

SAML User Name Mapping

Specify how the Web Proxy should represent user names to the service provider in the SAML assertion. You can pass the user names as they are used inside your network (No mapping), or you can change the internal user names into a different format using one of the following methods:

• LDAP query. The user names sent to the service provider are based on one or more LDAP query attributes. Enter an expression containing LDAP attribute fields and optional custom text. You must enclose attribute names in angled brackets. You can include any number of attributes. For example, for the LDAP attributes “user” and “domain,” you could enter <user>@<domain>.com.

• Fixed Rule mapping. The user names sent to the service provider are based on the internal user name with a fixed string added before or after the internal user name. Enter the fixed string in the Expression Name field, with %s either before or after the string to indicate its position in the internal user name.

SAML Attribute Mapping

(Optional) You can provide to the SaaS application additional information about the internal users from the LDAP authentication server if required by the SaaS application. Map each LDAP server attribute to a SAML attribute.

Authentication Context Choose the authentication mechanism the Web Proxy uses to authenticate its internal users.

Note The authentication context informs the service provider which authentication mechanism the identity provider used to authenticate the internal users. Some service providers require a particular authentication mechanism to allow users to access the SaaS application. If a service provider requires an authentication context that is not supported by an identity provider, users cannot access the service provider using single sign-on from the identity provider.




Step 3 If you choose Identity provider initiated flow, the appliance redirects users to the SaaS application.

Step 4 If you choose Service Provider initiated flows, you must configure this URL in the SaaS application.

• Always prompt SaaS users for proxy authentication. After entering valid credentials, users are logged into the SaaS application.

• Transparently sign in SaaS users. Users are logged into the SaaS application automatically.

Note To achieve single sign-on behavior using explicit forward requests for all authenticated users when the appliance is deployed in transparent mode, select “Apply same surrogate settings to explicit forward requests” when you configure the Identity group.



C H A P T E R


8Integrate the Cisco Identity Services Engine

• Overview of the Identity Services Engine Service, page 8-1

• Identity Services Engine Certificates, page 8-2

• Tasks for Certifying and Integrating the ISE Service, page 8-3

• Connect to the ISE Services, page 8-6

• Troubleshooting Identity Services Engine Problems, page 8-7

Overview of the Identity Services Engine ServiceCisco’s Identity Services Engine (ISE) is an application that runs on separate servers in your network to provide enhanced identity management. AsyncOS can access user-identity information from an ISE server. If configured, user names and associated Secure Group Tags will be obtained from the Identity Services Engine for appropriately configured Identification Profiles, to allow transparent user identification in policies configured to use those profiles.

Note The ISE service is not available in Connector mode.

Related Topics

• About pxGrid, page 8-1

• About the ISE Server Deployment and Failover, page 8-2

About pxGridCisco’s Platform Exchange Grid (pxGrid) enables collaboration between components of the network infrastructure, including security-monitoring and network-detection systems, identity and access management platforms, and so on. These components can use pxGrid to exchange information via a publish/subscribe method.

There are essentially three pxGrid components: the pxGrid publisher, the pxGrid client, and the pxGrid controller.

• pxGrid publisher – Provides information for the pxGrid client(s).

• pxGrid client – Any system, such as the Web Security appliance, that subscribes to published information; in this case, Security Group Tag (SGT) and user-group and profiling information.


Chapter 8 Integrate the Cisco Identity Services Engine Identity Services Engine Certificates

• pxGrid controller – In this case, the ISE pxGrid node that controls the client registration/management and topic/subscription processes.

Trusted certificates are required for each component, and these must be installed on each host platform.

About the ISE Server Deployment and FailoverA single ISE node set-up is called a “standalone deployment,” and this single node runs the Administration, Policy Service, and Monitoring personae. To support failover and to improve performance, you must set up multiple ISE nodes in a “distributed deployment.” The minimum required distributed ISE configuration to support ISE failover on your Web Security appliance is:

• Two pxGrid nodes

• Two Monitoring nodes

• Two Administration nodes

• One Policy Service node

This configuration is referred to in the Cisco Identity Services Engine Hardware Installation Guide as a “Medium-Sized Network Deployment.” Refer to that network deployments section in the Installation Guide for additional information.

Related Topics





Identity Services Engine Certificates

Note This section describes the certificates necessary for ISE connection. Tasks for Certifying and Integrating the ISE Service, page 8-3 provides detailed information about these certificates. Certificate Management, page 22-25, provides general certificate-management information for AsyncOS.

A set of three certificates is required for mutual authentication and secure communication between the Web Security appliance and each ISE server:

• WSA Client Certificate – Used by the ISE server to authenticate the Web Security appliance.

• ISE Admin Certificate – Used by the Web Security appliance to authenticate an ISE server on port 443 for bulk download of ISE user-profile data.

• ISE pxGrid Certificate – Used by the Web Security appliance to authenticate an ISE server on port 5222 for WSA-ISE data subscription (on-going publish/subscribe queries to the ISE server).

These three certificates can be Certificate Authority (CA)-signed or self-signed. AsyncOS provides the option to generate a self-signed WSA Client certificate, or a Certificate Signing Request (CSR) instead, if a CA-signed certificate is needed. Similarly, the ISE server provides the option to generate self-signed ISE Admin and pxGrid certificates, or CSRs instead if CA-signed certificates are needed.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html#ID-1413-000000b1


Chapter 8 Integrate the Cisco Identity Services Engine Tasks for Certifying and Integrating the ISE Service

Related Topics

• Using Self-signed Certificates, page 8-3

• Using CA-signed Certificates, page 8-3




Using Self-signed CertificatesWhen self-signed certificates are used on the ISE server, all three certificates—the ISE pxGrid and Admin certificates, developed on the ISE server, as well as the WSA Client certificate, developed on the WSA—must be added to the Trusted Certificates store on the ISE server (Administration > Certificates > Trusted Certificates > Import).

Using CA-signed CertificatesIn the case of CA-signed certificates:

• On the ISE server, ensure the appropriate CA root certificate for the WSA Client certificate is present in the Trusted Certificates store (Administration > Certificates > Trusted Certificates).

• On the WSA, ensure the appropriate CA root certificates are present in the Trusted Certificates list (Network > Certificate Management > Manage Trusted Root Certificates). On the Identity Services Engine page (Network > Identity Services Engine), be sure to upload the CA root certificate(s) for the ISE Admin and pxGrid certificates.

Tasks for Certifying and Integrating the ISE Service


1a On the WSA, add a WSA Client certificate.

• Create or upload a CA-signed or self-signed WSA Client certificate on the WSA.

See Connect to the ISE Services, page 8-6, and Certificate Management, page 22-25.

1b On the WSA, download this WSA Client certificate for upload to the ISE server.

• Download the WSA Client certificate, save it, and then transfer it to the ISE server.

See Connect to the ISE Services, page 8-6.

2 If the WSA Client Certificate is self-signed, upload it and its signing certificate to the ISE server.

• Import the WSA Client certificate downloaded from the WSA in the previous step, adding it to the ISE server’s Trusted Certificate store. (Administration > Certificates > Trusted Certificates > Import.)

• Be sure to also add the appropriate signing certificate for this WSA Client certificate to the Trusted Certificates store on the ISE server, as discussed in Using Self-signed Certificates, page 8-3.



3 On the ISE server, add ISE Admin and pxGrid certificates.

• Navigate to the Administration > Certificates page, and generate or upload ISE Admin and pxGrid certificates:

– For CA-signed certificates, generate two Certificate Signing Requests, one each for Admin and pxGrid Usage, and then have the certificates signed.

Upon receipt of the signed certificates, upload both to the ISE server.

Perform the “Bind the CA Signed Certificate” operation for both.

Be sure to add the CA root certificate to the ISE server’s Trusted Certificates store.

Restart the ISE server.

– For self-signed certificates, navigate to Administration > Certificates > System Certificates, and generate two Self Signed Certificates, one each for Admin and pxGrid. (You can also elect to generate one common certificate for both.)

Add both to the Trusted Certificates store.

Export the self-signed certificate(s) for import onto the WSA.

Note Ensure the appropriate self-signed or CA root certificates for these ISE Admin and pxGrid certificates are added to the Trusted Certificates store, as discussed in Identity Services Engine Certificates, page 8-2.

4 Ensure the ISE server is configured appropriately for WSA access.

Each ISE server must be configured to allow identity topic subscribers (such as WSA) to obtain session context in real-time. The basic steps are:

• Ensure “Enable Auto Registration” is turned ON (Administration > pxGrid Services > Top Right).

• Delete all existing WSA clients from the ISE server (Administration > pxGrid Services > Clients).

• Be sure the ISE server footer (Administration > pxGrid Services) says “Connected to pxGrid.”

• Configure SGT groups on ISE server (Policy > Results > TrustSec > Security Groups).

• Configure policies that associate the SGT groups with users.

Refer to Cisco Identity Services Engine documentation for more information.


https://www.cisco.com/c/en/us/support/security/identity-services-engine/tsd-products-support-series-home.html



Note Whenever you upload or change certificates on the ISE server, you must restart the ISE service. Also, a few minutes may be required before the services and connections are restored.

Related Topics




5 On the WSA, add the exported ISE Admin and pxGrid certificates.

• Upload the ISE Admin and pxGrid certificates for each ISE server you are configuring on this WSA. See Connect to the ISE Services, page 8-6.

– If using a single self-signed certificate for both ISE Admin and pxGrid, upload the file twice, once each in the ISE Admin Certificate and ISE pxGrid Certificate fields. See Connect to the ISE Services, page 8-6.

– If using CA-signed certificates, be sure the Certificate Authority that signed each pair of ISE certificates is listed in the Trusted Root Certificates list on the WSA. If not, import the CA root certificate. See Managing Trusted Root Certificates, page 22-25.

Note If the ISE Admin and pxGrid certificates are signed by your Root CA certificate, be sure to upload Root CA certificate itself to the ISE Admin Certificate and ISE pxGrid Certificate fields on the WSA (Network > Identity Services Engine).

6 Complete configuration of the WSA for ISE access and logging.

• Connect to the ISE Services, page 8-6.

• Add the custom field %m to the Access Logs to log the Authentication mechanism – Customizing Access Logs, page 21-26.

• Verify that the ISE Service Log was created; if it was not, create it – Adding and Editing Log Subscriptions, page 21-7.

• Ensure the ISE Service Log was created; if not, add it – Adding and Editing Log Subscriptions, page 21-7.

• Define Identification Profiles that access ISE for user identification and authentication – Classifying Users and Client Software, page 6-3.

• Configure access policies that utilize ISE identification to define criteria and actions for user requests – Policy Configuration, page 10-10.



Chapter 8 Integrate the Cisco Identity Services Engine Connect to the ISE Services

Connect to the ISE ServicesBefore You Begin

• Be sure each ISE server is configured appropriately for WSA access; see Tasks for Certifying and Integrating the ISE Service, page 8-3.

• Obtain ISE server connection information.

• Obtain valid ISE-related certificates (client, Portal and pxGrid) and keys. See also Identity Services Engine Certificates, page 8-2 for related information.

Step 1 Choose Network > Identification Service Engine.


Step 3 Check Enable ISE Service.

Step 4 Identify the Primary ISE pxGrid Node using its host name or IPv4 address.

a. Provide an ISE pxGrid Node Certificate for WSA-ISE data subscription (on-going queries to the ISE server).

Browse to and select the certificate file, and then click Upload File. See Uploading a Certificate and Key, page 22-26 for additional information.

Step 5 If using a second ISE server for failover, identify the Secondary ISE pxGrid Node using its host name or IPv4 address.

a. Provide the secondary ISE pxGrid Node Certificate.


Note During failover from primary to secondary ISE servers, any user not in the existing ISE SGT cache will be required to authenticate, or will be assigned Guest authorization, depending on your WSA configuration. After ISE failover is complete, normal ISE authentication resumes.

Step 6 Upload the ISE Monitoring Node Admin Certificates:

a. Provide the Primary ISE Monitoring Node Admin Certificate for use in bulk download of ISE user-profile data to the WSA.


b. If using a second ISE server for failover, provide the Secondary ISE Monitoring Node Admin Certificate.

Step 7 Provide a WSA Client Certificate for WSA-ISE server mutual authentication:

Note This must be a CA trusted-root certificate. See Identity Services Engine Certificates, page 8-2 for related information.

• Use Uploaded Certificate and Key

For both the certificate and the key, click Choose and browse to the respective file.

If the Key is Encrypted, check this box.


Chapter 8 Integrate the Cisco Identity Services Engine Troubleshooting Identity Services Engine Problems

Click Upload Files. (See Uploading a Certificate and Key, page 22-26 for additional information about this option.)

• Use Generated Certificate and Key

Click Generate New Certificate and Key. (See Generating a Certificate and Key, page 22-27 for additional information about this option.)

Step 8 Download the WSA Client Certificate, save it, and then upload it to the ISE server host (Administration > Certificates > Trusted Certificates > Import on the specified server).

Step 9 (Optional) Click Start Test to test the connection with the ISE pxGrid node(s).


What to Do Next

• Classify End-Users and Client Software, page 6-1

• Create Policies to Control Internet Requests, page 10-1

Related Information

• http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html, particularly “How To Integrate Cisco WSA using ISE and TrustSec through pxGrid.”

Troubleshooting Identity Services Engine Problems• Identity Services Engine Problems, page A-10

– Tools for Troubleshooting ISE Issues, page A-10

– ISE Server Connection Issues, page A-11

– ISE-related Critical Log Messages, page A-12

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-104-Integrate-Cisco-WSA-using-ISE-and-TrustSec-through-pxGrid.pdf

http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-104-Integrate-Cisco-WSA-using-ISE-and-TrustSec-through-pxGrid.pdf


Chapter 8 Integrate the Cisco Identity Services Engine Troubleshooting Identity Services Engine Problems

C H A P T E R


9Classify URLs for Policy Application

• Overview of Categorizing URL Transactions, page 9-1

• Configuring the URL Filtering Engine, page 9-4

• Managing Updates to the Set of URL Categories, page 9-4

• Filtering Transactions Using URL Categories, page 9-9

• Creating and Editing Custom URL Categories, page 9-14

• Filtering Adult Content, page 9-16

• Redirecting Traffic in the Access Policies, page 9-18

• Warning Users and Allowing Them to Continue, page 9-19

• Creating Time Based URL Filters, page 9-20

• Viewing URL Filtering Activity, page 9-21

• Regular Expressions, page 9-21

• URL Category Descriptions, page 9-25

Overview of Categorizing URL TransactionsUsing policy groups, you can create secure policies that control access to web sites containing questionable content. The sites that are blocked, allowed, or decrypted depend on the categories you select when setting up category blocking for each policy group. To control user access based on a URL category, you must enable Cisco Web Usage Controls. This is a multi-layered URL filtering engine that uses domain prefixes and keyword analysis to categorize URLs.

You can use URL categories when performing the following tasks:

Option Method

Define policy group membership Matching URLs to URL Categories, page 9-3

Control access to HTTP, HTTPS, and FTP requests

Filtering Transactions Using URL Categories, page 9-9

Create user defined custom URL categories that specify specific hostnames and IP addresses

Creating and Editing Custom URL Categories, page 9-14


Chapter 9 Classify URLs for Policy Application Overview of Categorizing URL Transactions

Categorization of Failed URL TransactionsThe Dynamic Content Analysis engine categorizes URLs when controlling access to websites in Access Policies only. It does not categorize URLs when determining policy group membership or when controlling access to websites using Decryption or Cisco Data Security Policies. This is because the engine works by analyzing the response content from the destination server, so it cannot be used on decisions that must be made at request time before any response is downloaded from the server.

If the web reputation score for an uncategorized URL is within the WBRS ALLOW range, AsyncOS allows the request without performing Dynamic Content Analysis.

After the Dynamic Content Analysis engine categorizes a URL, it stores the category verdict and URL in a temporary cache. This allows future transactions to benefit from the earlier response scan and be categorized at request time instead of at response time.

Enabling the Dynamic Content Analysis engine can impact transaction performance. However, most transactions are categorized using the Cisco Web Usage Controls URL categories database, so the Dynamic Content Analysis engine is usually only called for a small percentage of transactions.

Enabling the Dynamic Content Analysis Engine

Note It is possible for an Access Policy, or an Identity used in an Access Policy, to define policy membership by a predefined URL category and for the Access Policy to perform an action on the same URL category. The URL in the request can be uncategorized when determining Identity and Access Policy group membership, but must be categorized by the Dynamic Content Analysis engine after receiving the server response. Cisco Web Usage Controls ignores the category verdict from the Dynamic Content Analysis engine and the URL retains the “uncategorized” verdict for the remainder of the transaction. Future transactions will still benefit from the new category verdict.

Step 1 Choose Security Services > Acceptable Use Controls.

Step 2 Enable the Cisco Web Usage Controls.

Step 3 Click to enable the Dynamic Content Analysis engine.


Uncategorized URLsAn uncategorized URL is a URL that does not match any pre-defined URL category or included custom URL category.

Note When determining policy group membership, a custom URL category is considered included only when it is selected for policy group membership.

All transactions resulting in unmatched categories are reported on the Reporting > URL Categories page as “Uncategorized URLs.” A large number of uncategorized URLs are generated from requests to web sites within the internal network. Cisco recommends using custom URL categories to group internal


Chapter 9 Classify URLs for Policy Application Overview of Categorizing URL Transactions

URLs and allow all requests to internal web sites. This decreases the number of web transactions reported as “Uncategorized URLs” and instead reports internal transactions as part of “URL Filtering Bypassed” statistics.

Related Topics

• Understanding Unfiltered and Uncategorized Data, page 9-21.

• Creating and Editing Custom URL Categories, page 9-14.

Matching URLs to URL CategoriesWhen the URL filtering engine matches a URL category to the URL in a client request, it first evaluates the URL against the custom URL categories included in the policy group. If the URL in the request does not match an included custom category, the URL filtering engine compares it to the predefined URL categories. If the URL does not match any included custom or predefined URL categories, the request is uncategorized.

Note When determining policy group membership, a custom URL category is considered included only when it is selected for policy group membership.

Tip To see what category a particular web site is assigned to, go to the URL in Reporting Uncategorized and Misclassified URLs, page 9-3.

Related Topics

• Uncategorized URLs, page 9-2.

Reporting Uncategorized and Misclassified URLsYou can report uncategorized and misclassified URLs to Cisco. Cisco provides a URL submission tool on its website that allows you to submit multiple URLs simultaneously:

https://securityhub.cisco.com/web/submit_urls

To check the status of submitted URLs, click the Status on Submitted URLs tab on this page. You can also use the URL submission tool to look up the assigned URL category for any URL.

URL Categories DatabaseThe category that a URL falls into is determined by a filtering categories database. The Web Security appliance collects information and maintains a separate database for each URL filtering engine. The filtering categories databases periodically receive updates from the Cisco update server.

The URL categories database includes many different factors and sources of data internal to Cisco and from the Internet. One of the factors occasionally considered, heavily modified from the original, is information from the Open Directory Project.


Chapter 9 Classify URLs for Policy Application Configuring the URL Filtering Engine

Tip To see what category a particular web site is assigned to, go to the URL in Reporting Uncategorized and Misclassified URLs, page 9-3.

Related Topics

• Manually Updating Security Service Components, page 22-29.

Configuring the URL Filtering Engine By default, the Cisco Web Usage Controls URL filtering engine is enabled in the System Setup Wizard.



Step 3 Verify the Enable Acceptable Use Controls property is enabled.

Step 4 Choose whether or not to enable the Dynamic Content Analysis Engine.

Step 5 Choose the default action the Web Proxy should use when the URL filtering engine is unavailable, either Monitor or Block. Default is Monitor.


Managing Updates to the Set of URL Categories The set of predefined URL categories may occasionally be updated in order to accommodate new web trends and evolving usage patterns. Updates to the URL category set are distinct from the changes that add new URLs and re-map misclassified URLs. Category set updates may change configurations in your existing policies and therefore require action. URL category set updates may occur between product releases; an AsyncOS upgrade is not required.

Information is available from: http://www.cisco.com/en/US/products/ps10164/prod_release_notes_list.html.

Take the following actions:

When to Act Method

Before updates occur

(Do these tasks as part of your initial setup)

Understanding the Impacts of URL Category Set Updates, page 9-5

Controlling Updates to the URL Category Set, page 9-7

Default Settings for New and Changed Categories, page 9-8

Receiving Alerts About Category and Policy Changes, page 9-8

After updates occur Responding to Alerts about URL Category Set Updates, page 9-8

http://www.cisco.com/en/US/products/ps10164/prod_release_notes_list.html


Chapter 9 Classify URLs for Policy Application Managing Updates to the Set of URL Categories

Understanding the Impacts of URL Category Set Updates URL category set updates can have the following impacts on existing Access Policies, Decryption Policies, and Cisco Data Security policies, and on Identities:

• Effects of URL Category Set Changes on Policy Group Membership, page 9-5

• Effects of URL Category Set Updates on Filtering Actions in Policies, page 9-5

Effects of URL Category Set Changes on Policy Group Membership

This section applies to all policy types with membership that can be defined by URL category, and to Identities. When policy group membership is defined by URL category, changes to the category set may have the following effects:

• If the sole criterion for membership is a deleted category, the policy or identity is disabled.

If membership in any policy is defined by a URL category that changes, and if this causes ACL list changes, the web proxy will restart.

Effects of URL Category Set Updates on Filtering Actions in Policies

URL category set updates can change policy behavior in the following ways:

Change Effect on Policies and Identities

A new category can be added

For each policy, the default action for newly-added categories is the action specified for Uncategorized URLs for that policy.

A category can be deleted

The action associated with the deleted category is deleted.

If the policy depended exclusively on the deleted category, the policy is disabled.

If a policy depends on an identity that depended exclusively on a deleted category, the policy will be disabled.

A category can be renamed

No change to the behavior of the existing policy.

A category can split A single category can become multiple new categories. Both new categories have the action associated with the original category.



Related Topics

• Merged Categories - Examples, page 9-6.

Merged Categories - Examples Some examples of merged categories, based on settings on the URL Filtering page for the policy:

Two or more existing categories can merge

If all original categories in a policy had the same action assigned, the merged category has the same action as the original categories. If all original categories were set to “Use Global Setting” then the merged category is also set to “Use Global Setting.”

If the policy had different actions assigned to the original categories, the action assigned to the merged category depends on the Uncategorized URLs setting in that policy:

• If Uncategorized URLs is set to Block (or “Use Global Setting” when the global setting is Block), then the most restrictive action among the original categories is applied to the merged category.

• If Uncategorized URLs is set to any action other than Block (or “Use Global Setting” when the global setting is anything other than Block), then the least restrictive action among the original categories is applied to the merged category.

In this case, sites that were previously blocked may now be accessible to users.

If policy membership is defined by URL category, and some of the categories involved in the merge, or the Uncategorized URLs action, are not included in the policy membership definition, then the values in the Global Policy are used for the missing items.

• The order of restrictiveness is as follows (not all actions are available for all policy types):Block

• Drop

• Decrypt

• Warn

• Time-based

• Monitor

• Pass Through

Note Time-based policies that are based on merged categories adopt the action associated with any one of the original categories. (In time-based policies, there may be no obviously most- or least-restrictive action.)

Change Effect on Policies and Identities

Original Category 1 Original Category 2 Uncategorized URLs Merged Category

Monitor Monitor (Not Applicable) Monitor

Block Block (Not Applicable) Block

Use Global Settings

Use Global Settings (Not Applicable) Use Global Settings

Warn Block Monitor

Use the least restrictive among the original categories.

Warn



Controlling Updates to the URL Category Set By default, URL category set updates to occur automatically. These updates may change existing policy configurations, so you may prefer to disable all automatic updates.

Note If you use the CLI, disable updates by setting the update interval to zero (0)

Manually Updating the URL Category Set

Note Do not interrupt an update in progress.

If you have disabled automatic updates, you can manually update the set of URL categories at your convenience.

Monitor • Block or

• Use Global Settings,when Global is set to Block

• Block or

• Use Global Setting, when Global is set to Block

Use the most restrictive among the original categories.

Block

Block • Monitor or

• Use Global Settings, when Global is set to Monitor

• Monitor or

• Use Global Setting, when Global is set to Monitor

Use the least restrictive among the original categories.

Monitor

For policies in which membership is defined by URL category:

Monitor

An action for this category is not specified in this policy, but the value in the Global Policy for this category is Block

An action for Uncategorized URLs is not specified in this policy, but the value in the Global Policy for Uncategorized URLs is Monitor

Monitor

Original Category 1 Original Category 2 Uncategorized URLs Merged Category

Option Method

If you disable updates, you will need to manually update all services listed in the Update Servers (list) section of the System Administration > Upgrade and Update Settings page

Manually Updating the URL Category Set, page 9-7 andManually Updating Security Service Components, page 22-29

Disabling all automatic updates Configuring Upgrade and Service Update Settings, page 22-32.




Step 2 Determine whether an update is available:

Look at the “Cisco Web Usage Controls - Web Categorization Categories List” item in the Acceptable Use Controls Engine Updates table.

Step 3 To update, click Update Now.

Default Settings for New and Changed Categories URL category set updates may change the behavior of your existing policies. You should specify default settings for certain changes when you configure your policies, so that they are ready when URL category set updates occur. When new categories are added, or existing categories merge into a new category, the default action for these categories for each policy are affected by the Uncategorized URLs setting in that policy.

Verifying Existing Settings and/or Making Changes

Step 1 Choose Web Security Manager.

Step 2 For each Access Policy, Decryption Policy, and Cisco Data Security policy click the URL Filtering link.

Step 3 Check the selected setting for Uncategorized URLs.

Related Topics

• Effects of URL Category Set Updates on Filtering Actions in Policies, page 17-6.

Receiving Alerts About Category and Policy Changes Category set updates trigger two types of alerts:

• Alerts about category changes

• Alerts about policies that have changed or been disabled as a result of category set changes.

Step 1 Choose System Administration > Alerts.

Step 2 Click Add Recipient and add email address (or multiple email addresses).

Step 3 Decide which Alert Types and Alert Severities to receive.


Responding to Alerts about URL Category Set Updates When you receive an alert about category set changes, you should do the following:


Chapter 9 Classify URLs for Policy Application Filtering Transactions Using URL Categories

• Check policies and identities to be sure that they still meet your policy goals after category merges, additions, and deletions, and

• Consider modifying policies and identities to benefit from new categories and the added granularity of split categories.

Related Topics

• Understanding the Impacts of URL Category Set Updates, page 9-5

Filtering Transactions Using URL CategoriesThe URL filtering engine lets you filter transactions in Access, Decryption, and Data Security Policies. When you configure URL categories for policy groups, you can configure actions for custom URL categories, if any are defined, and predefined URL categories.

The URL filtering actions you can configure depends on the type of policy group:

Related Topics

• Redirecting Traffic in the Access Policies, page 9-18.

• Warning Users and Allowing Them to Continue, page 9-19


• Effects of URL Category Set Updates on Filtering Actions in Policies, page 9-5

Configuring URL Filters for Access Policy GroupsYou can configure URL filtering for user-defined Access Policy groups and the Global Policy Group.

Step 1 Choose Web Security Manager > Access Policies.

Step 2 Click the link in the policies table under the URL Filtering column for the policy group you want to edit.

Step 3 (Optional) In the Custom URL Category Filtering section, you can add custom URL categories on which to take action in this policy:

a. Click Select Custom Categories.

b. Choose which custom URL categories to include in this policy and click Apply.

Choose which custom URL categories the URL filtering engine should compare the client request against. The URL filtering engine compares client requests against included custom URL categories, and ignores excluded custom URL categories. The URL filtering engine compares the URL in a client request to included custom URL categories before predefined URL categories.

Option Method

Access Policies Configuring URL Filters for Access Policy Groups, page 9-9

Decryption Policies Configuring URL Filters for Decryption Policy Groups, page 9-12

Cisco Data Security Policies Configuring URL Filters for Data Security Policy Groups, page 9-13



The custom URL categories included in the policy appear in the Custom URL Category Filtering section.

Step 4 In the Custom URL Category Filtering section, choose an action for each included custom URL category.

Step 5 In the Predefined URL Category Filtering section, choose one of the following actions for each category:

• Use Global Settings

• Monitor

• Warn

• Block

• Time-Based

• Quota-Based

Step 6 In the Uncategorized URLs section, choose the action to take for client requests to web sites that do not fall into a predefined or custom URL category. This setting also determines the default action for new and merged categories resulting from URL category set updates.


Action Description

Use Global Settings

Uses the action for this category in the Global Policy Group. This is the default action for user defined policy groups.

Applies to user defined policy groups only.

Note When a custom URL category is excluded in the global Access Policy, then the default action for included custom URL categories in user defined Access Policies is Monitor instead of Use Global Settings. You cannot choose Use Global Settings when a custom URL category is excluded in the global Access Policy.

Block The Web Proxy denies transactions that match this setting.

Redirect Redirects traffic originally destined for a URL in this category to a location you specify. When you choose this action, the Redirect To field appears. Enter a URL to which to redirect all traffic.

Allow Always allows client requests for web sites in this category.

Allowed requests bypass all further filtering and malware scanning.

Only use this setting for trusted web sites. You might want to use this setting for internal sites.

Monitor The Web Proxy neither allows nor blocks the request. Instead, it continues to evaluate the client request against other policy group control settings, such as web reputation filtering.

Warn The Web Proxy initially blocks the request and displays a warning page, but allows the user to continue by clicking a hypertext link in the warning page.

Quota-Based As a individual user approaches either the volume or time quotas you have specified, a warning is displayed. When a quota is met, a block page is displayed. See Time Ranges and Quotas, page 10-16.

Time-Based The Web Proxy blocks or monitors the request during the time ranges you specify. See Time Ranges and Quotas, page 10-16.



• Exceptions to Blocking for Embedded and Referred Content, page 9-11

Exceptions to Blocking for Embedded and Referred Content

A Website may embed or refer to content that is categorized differently than the source page, or that is considered an application. By default, embedded/referred content is blocked or monitored based on the action selected for its assigned category or application, regardless of how the source Website is categorized. For example, a News site could contain content, or a link to content, that categorized as Streaming Video and identified as being the application YouTube. According to your policy, Streaming Video and YouTube are both blocked, while News sites are not.

Note Requests for embedded content usually include the address of the site from which the request originated (this is known as the “referer” field in the request’s HTTP header). This header information is used to determine categorization of the referred content.

You can use this feature to define exceptions to the default actions for embedded/referred content; for example, to permit all content embedded in or referred to from News Websites, or from a custom category representing your intranet.

Note Referer-based exceptions are supported only in Access policies. To use this feature with HTTPS traffic, before defining exceptions in Access policies, you must configure HTTPS decryption of the URL Categories that you will select for exception. See Configuring URL Filters for Decryption Policy Groups, page 9-12 for information about configuring HTTPS decryption. See Conditions and Restrictions for Exceptions to Blocking for Embedded and Referred Content, page A-10 for additional information about using this feature with HTTPS decryption. CSCva35532

Step 1 On the URL Filtering page for a particular Access Policy (see Configuring URL Filters for Access Policy Groups, page 9-9), click Enable Exceptions in the Exceptions to Blocking for Embedded/Referred Content section.

Step 2 Click the Click to select categories link in the Set Exception for Content Referred by These Categories column, opening the URL filtering category referral-exception selection page.

Step 3 From the Predefined and Custom URL Categories lists, select the categories for which you wish to define this referral exception, then click Done to return to the URL Filtering page for this Access Policy.

Step 4 Choose an exception type from the Set Exception for this Referred Content drop-down list:

• All embedded/referred content – All content embedded in and referred from sites of the specified category types is not blocked, regardless of the categorization of that content.

• Selected embedded/referred content – After choosing this option, select specific Categories and Applications that are not blocked when originating from the specified URL categories.

• All embedded/referred content except – After choosing this option, all content embedded in and referred from sites of the specified category types is not blocked, except those URL categories and applications you now specify here. In other words, these types will remain blocked.




Tip You can elect to display “Permitted by Referrer” transaction data in the tables and charts provided on the following Reporting pages: URL Categories, Users and Web Sites, as well as related charts on the Overview page. See Choosing Which Data to Chart, page 18-4 for more information about selecting chart-display options.

Configuring URL Filters for Decryption Policy GroupsYou can configure URL filtering for user defined Decryption Policy groups and the global Decryption Policy group.

Step 1 Choose Web Security Manager > Decryption Policies.







Step 4 Choose an action for each custom and predefined URL category.

Action Description

Use Global Setting

Uses the action for this category in the global Decryption Policy group. This is the default action for user defined policy groups.


When a custom URL category is excluded in the global Decryption Policy, then the default action for included custom URL categories in user defined Decryption Policies is Monitor instead of Use Global Settings. You cannot choose Use Global Settings when a custom URL category is excluded in the global Decryption Policy.

Pass Through Passes through the connection between the client and the server without inspecting the traffic content.

Monitor The Web Proxy neither allows nor blocks the request. Instead, it continues to evaluate the client request against other policy group control settings, such as web reputation filtering.

Decrypt Allows the connection, but inspects the traffic content. The appliance decrypts the traffic and applies Access Policies to the decrypted traffic as if it were a plain text HTTP connection. By decrypting the connection and applying Access Policies, you can scan the traffic for malware.

Drop Drops the connection and does not pass the connection request to the server. The appliance does not notify the user that it dropped the connection.



Note If you want to block a particular URL category for HTTPS requests, choose to decrypt that URL category in the Decryption Policy group and then choose to block the same URL category in the Access Policy group.

Step 5 In the Uncategorized URLs section, choose the action to take for client requests to web sites that do not fall into a predefined or custom URL category.

This setting also determines the default action for new and merged categories resulting from URL category set updates.


Configuring URL Filters for Data Security Policy GroupsYou can configure URL filtering for user defined Data Security Policy groups and the Global Policy Group.

Step 1 Choose Web Security Manager > Cisco Data Security.








Chapter 9 Classify URLs for Policy Application Creating and Editing Custom URL Categories

Step 4 In the Custom URL Category Filtering section, choose an action for each custom URL category.

Step 5 In the Predefined URL Category Filtering section, choose one of the following actions for each category:

• Use Global Settings

• Monitor

• Block

Step 6 In the Uncategorized URLs section, choose the action to take for upload requests to web sites that do not fall into a predefined or custom URL category. This setting also determines the default action for new and merged categories resulting from URL category set updates.


Related Topics

• Effects of URL Category Set Updates on Filtering Actions in Policies, page 9-5.

Creating and Editing Custom URL CategoriesYou can create custom URL categories that specify specific host names and IP addresses. In addition, you can edit and delete existing URL categories. When you include these custom URL categories in the same Access, Decryption, or Cisco Data Security Policy group and define different actions to each category, the action of the higher included custom URL category takes effect.

Action Description

Use Global Setting

Uses the action for this category in the Global Policy Group. This is the default action for user defined policy groups.


When a custom URL category is excluded in the global Cisco Data Security Policy, then the default action for included custom URL categories in user defined Cisco Data Security Policies is Monitor instead of Use Global Settings. You cannot choose Use Global Settings when a custom URL category is excluded in the global Cisco Data Security Policy.

Allow Always allows upload requests for web sites in this category. Applies to custom URL categories only.

Allowed requests bypass all further data security scanning and the request is evaluated against Access Policies.

Only use this setting for trusted web sites. You might want to use this setting for internal sites.

Monitor The Web Proxy neither allows nor blocks the request. Instead, it continues to evaluate the upload request against other policy group control settings, such as web reputation filtering.

Block The Web Proxy denies transactions that match this setting.


Chapter 9 Classify URLs for Policy Application Creating and Editing Custom URL Categories

Note The Web Security appliance uses the first four characters of custom URL category names preceded by “c_” in the access logs. Consider the custom URL category name if you use Sawmill to parse the access logs. If the first four characters of the custom URL category include a space, Sawmill cannot properly parse the access log entry. Instead, only use supported characters in the first four characters. If you want to include the full name of a custom URL category in the access logs, add the %XF format specifier to the access logs.

Before You Begin

• Go to Security Services > Acceptable Use Controls to enable Acceptable Use Controls.

Step 1 Choose Web Security Manager > Custom URL Categories.

Step 2 To create a custom URL category, click Add Category. To edit an existing custom URL category, click the name of the URL category.

Step 3 Provide the following information.

Setting Description

Category Name Enter an identifier for this URL category. This name appears when you configure URL filtering for policy groups.

List Order Specify the order of this category in the list of custom URL categories. Enter “1” for the first URL category in the list.

The URL filtering engine evaluates a client request against the custom URL categories in the order specified.


Chapter 9 Classify URLs for Policy Application Filtering Adult Content


Related Topics

• Regular Expressions, page 9-21.

• Customizing Access Logs, page 21-26.

Filtering Adult ContentYou can configure the Web Security appliance to filter adult content from some web searches and websites. To enforce safe search and site content ratings, the AVC engine takes advantage of the safe mode feature implemented at a particular website by rewriting URLs and/or web cookies to force the safety mode to be on.

Sites • Enter one or more Site addresses for this custom category. You can enter multiple addresses separated by line breaks or commas. These addresses can be in any of the following formats:

– IPv4 address, such as 10.1.1.0

– IPv6 address, such as 2001:0db8::

– IPv4 CIDR address, such as 10.1.1.0/24

– IPv6 CIDR address, such as 2001:0db8::/32

– Domain name, such as example.com

– Hostname, such as crm.example.com

– Partial hostname, such as .example.com; this will also match www.example.com

– Regular expressions can be entered in the Advanced section, as described below.

Note It is possible to use the same address in multiple custom URL categories, but the order in which the categories are listed is relevant. If you include these categories in the same policy, and define different actions for each, the action defined for the category listed highest in the custom URL categories table will be the one applied.

• (Optional) Click Sort URLs to sort all addresses in the Sites field.

Note Once you sort the addresses, you cannot retrieve their original order.

Advanced You can use regular expressions to specify multiple addresses that match the patterns you enter.

Note The URL filtering engine compares URLs with addresses entered in the Sites field first. If the URL of a transaction matches an entry in the Sites field, it is not compared to any expression entered here.

See Regular Expressions, page 9-21 for more information about using regular expressions.

Setting Description


Chapter 9 Classify URLs for Policy Application Filtering Adult Content

The following features filter adult content:

Note Any Access Policy that has either the safe search or site content ratings feature enabled is considered a safe browsing Access Policy.

Enforcing Safe Searches and Site Content Ratings

Before you begin:

When you enable Safe Search or Site Content Rating, the AVC Engine is tasked with identifying applications for safe browsing. As one of the criteria, the AVC engine will scan the response body to detect a search application. As a result, the appliance will not forward range headers.


Step 2 Click the link under the URL Filtering column for an Access Policy group or the Global Policy Group.

Step 3 When editing a user-defined Access Policy, choose Define Content Filtering Custom Settings in the Content Filtering section.

Step 4 Click the Enable Safe Search check box to enable the safe search feature.

Step 5 Choose whether to block users from search engines that are not currently supported by the Web Security appliance safe search feature.

Step 6 Click the Enable Site Content Rating check box to enable the site content ratings feature.

Step 7 Choose whether to block all adult content from the supported content ratings websites or to display the end-user URL filtering warning page.

Note When the URL of one of the supported search engines or supported content ratings websites is included in a custom URL category with the Allow action applied, no search results are blocked and all content is visible.


Related Topics

• Warning Users and Allowing Them to Continue, page 9-19.

• Controlling Access to Web Applications, page 17-18

Option Description

Enforce safe searches You can configure the Web Security appliance so that outgoing search requests appear to search engines as safe search requests. This can prevent users from bypassing acceptable use policies using search engines.

Enforce site content ratings Some content sharing sites allow users to restrict their own access to the adult content on these sites by either enforcing their own safe search feature or blocking access to adult content, or both. This classification feature is commonly called content ratings.


Chapter 9 Classify URLs for Policy Application Redirecting Traffic in the Access Policies

Logging Adult Content AccessBy default, the access logs include a safe browsing scanning verdict inside the angled brackets of each entry. The safe browsing scanning verdict indicates whether or not either the safe search or site content ratings feature was applied to the transaction. You can also add the safe browsing scanning verdict variable to the access logs or W3C access logs:

• Access logs: %XS

• W3C access logs: x-request-rewrite

Requests blocked due to either the safe search or site content rating features, use one of the following ACL decision tags in the access logs:

• BLOCK_SEARCH_UNSAFE

• BLOCK_CONTENT_UNSAFE

• BLOCK_UNSUPPORTED_SEARCH_APP

• BLOCK_CONTINUE_CONTENT_UNSAFE

Related Topics

• ACL Decision Tags, page 21-16.

Redirecting Traffic in the Access PoliciesYou can configure the Web Security appliance to redirect traffic originally destined for a URL in a custom URL category to a location you specify. This allows you to redirect traffic at the appliance instead of at the destination server. You can redirect traffic for a custom Access Policy group or the Global Policy Group

Before You Begin

• To redirect traffic you must define at least one custom URL category.


Step 2 Click the link under the URL Filtering column for an Access Policy group or the Global Policy Group.

Step 3 In the Custom URL Category Filtering section, click Select Custom Categories.

Value Description

ensrch The original client request was unsafe and the safe search feature was applied.

encrt The original client request was unsafe and the site content ratings feature was applied.

unsupp The original client request was to an unsupported search engine.

err The original client request was unsafe, but neither the safe search nor the site content ratings feature could be applied due to an error.

- Neither the safe search nor the site content ratings feature was applied to the client request because the features were bypassed (for example, the transaction was allowed in a custom URL category) or the request was made from an unsupported application.


Chapter 9 Classify URLs for Policy Application Warning Users and Allowing Them to Continue

Step 4 In the Select Custom Categories for this Policy dialog box, choose Include in policy for the custom URL category you want to redirect.

Step 5 Click Apply.

Step 6 Click the Redirect column for the custom category you want to redirect.

Step 7 Enter the URL to which you want to redirect traffic in the Redirect To field for the custom category.


Note Beware of infinite loops when you configure the appliance to redirect traffic.

Related Topics


Logging and ReportingWhen you redirect traffic, the access log entry for the originally requested website has an ACL tag that starts with REDIRECT_CUSTOMCAT. Later in the access log (typically the next line) appears the entry for the website to which the user was redirected.

The reports displayed on the Reporting tab display redirected transactions as “Allowed.”

Warning Users and Allowing Them to ContinueYou can warn users that a site does not meet the organization’s acceptable use policies. Users are tracked in the access log by user name if authentication has made a user name available, and tracked by IP address if no user name is available.

You can warn and allow users to continue using one of the following methods:

• Choose the Warn action for a URL category in an Access Policy group or

• Enable the site content ratings feature and warn users that access adult content instead of blocking them.

Configuring Settings for the End-User Filtering Warning Page

Note The warn and continue feature only works for HTTP and decrypted HTTPS transactions. It does not work with native FTP transactions.

Note When the URL filtering engine warns users for a particular request, it provides a warning page that the Web Proxy sends to the end user. However, not all websites display the warning page to the end user. When this happens, users are blocked from the URL that is assigned the Warn option without being given the chance to continue accessing the site anyway.


Chapter 9 Classify URLs for Policy Application Creating Time Based URL Filters

Step 1 Choose Security Services > End-User Notification.


Step 3 Configure the following settings on the End-User Filtering Warning page:


Related Topics

• Filtering Adult Content, page 9-16

• Custom Messages on Notification Pages, page 17-10

• Configuring the End-User URL Filtering Warning Page, page 17-9

Creating Time Based URL FiltersYou can configure how the Web Security appliance to handles requests for URLs in particular categories differently based on time and day.

Before You Begin

Go to the Web Security Manager > Defined Time Range page to define at least one time range.



Step 3 Select Time-Based for the custom or predefined URL category you want to configure based on time range.

Step 4 In the In Time Range field, choose the defined time range to use for the URL category.

Step 5 In the Action field, choose the action to enact on transactions in this URL category during the defined time range.

Step 6 In the Otherwise field, choose the action to enact on transactions in this URL category outside the defined time range.

Option Method

Time Between Warning The Time Between Warning determines how often the Web Proxy displays the end-user URL filtering warning page for each URL category per user.

This setting applies to users tracked by username and users tracked by IP address.

Specify any value from 30 to 2678400 seconds (one month). Default is 1 hour (3600 seconds).

Custom Message The custom message is text you enter that appears on every end-user URL filtering warning page.

Include some simple HTML tags to format the text.


Chapter 9 Classify URLs for Policy Application Viewing URL Filtering Activity


Related Topics

• Time Ranges and Quotas, page 10-16

Viewing URL Filtering ActivityThe Reporting > URL Categories page provides a collective display of URL statistics that includes information about top URL categories matched and top URL categories blocked. This page displays category-specific data for bandwidth savings and web transactions.

Related Topics

• Generate Reports to Monitor End-user Activity, page 18-1

Understanding Unfiltered and Uncategorized DataWhen viewing URL statistics on the Reporting > URL Categories page, it is important to understand how to interpret the following data:

URL Category Logging in Access Logs The access log file records the URL category for each transaction in the scanning verdict information section of each entry.

Related Topics

• Monitor System Activity Through Logs, page 21-1.

• URL Category Descriptions, page 9-25.

Regular ExpressionsThe Web Security appliance uses a regular expression syntax that differs slightly from the regular expression syntax used by other Velocity pattern-matching engine implementations. Further, the appliance does not support using a backward slash to escape a forward slash. If you need to use a forward slash in a regular expression, simply type the forward slash without a backward slash.

Data Type Description

URL Filtering Bypassed Represents policy, port, and admin user agent blocking that occurs before URL filtering.

Uncategorized URL Represents all transactions for which the URL filtering engine is queried, but no category is matched.


Chapter 9 Classify URLs for Policy Application Regular Expressions

Note Technically, AsyncOS for Web uses the Flex regular expression analyzer.

You can use regular expressions in the following locations:

• Custom URL categories for Access Policies. When you create a custom URL category to use with Access Policy groups, you can use regular expressions to specify multiple web servers that match the pattern you enter.

• Custom user agents to block. When you edit the applications to block for an Access Policy group, you can use regular expressions to enter specific user agents to block.

Note Regular expressions that perform extensive character matching consume resources and can affect system performance. For this reason, regular expressions should be cautiously applied.

Related Topics


• Policy: Protocols and User Agents, page 9-13

Forming Regular ExpressionsRegular expressions are rules that typically use the word “matches” in the expressions. They can be applied to match specific URL destinations or web servers. For example, the following regular expression matches any pattern containing “blocksite.com”:

\.blocksite\.com

Consider the following regular expression example:

server[0-9]\.example\.com

In this example, server[0-9] matches server0, server1, server2, ..., server9 in the domain example.com.

In the following example, the regular expression matches files ending in .exe, .zip, and .bin in the downloads directory.

/downloads/.*\.(exe|zip|bin)

Note You must enclose regular expressions that contain blank spaces or non-alphanumeric characters in ASCII quotation marks.



Guidelines for Avoiding Validation FailuresImportant: Regular expressions that return more that 63 characters will fail and produce an invalid-entry error. Please be sure to form regular expressions that do not have the potential to return more than 63 characters.

Follow these guidelines to minimize validation failures:

• Use literal expressions rather than wildcards and bracketed expressions whenever possible. A literal expression is essentially just straight text such as “It’s as easy as ABC123”. This is less likely to fail than using “It’s as easy as [A-C]{3}[1-3]{3}”. The latter expression results in the creation of non-deterministic finite automatons (NFA) entries, which can dramatically increase processing time.

• Avoid the use of an unescaped dot whenever possible. The dot is a special regular-expression character that means match any character except for a newline. If you want to match an actual dot, for example, as in “url.com”, then escape the dot using the \ character, as in “url\.com”. Escaped dots are treated as literal entries and therefore do not cause issues.

• Any unescaped dot in a pattern that will return more than 63 characters after the dot will be disabled by the pattern-matching engine, and an alert to that effect will be sent to you, and you will continue to receive an alert following each update until you correct or replace the pattern.

Similarly, use more specific matches rather than unescaped dots wherever possible. For example, if you want to match a URL that is followed by a single digit, use “url[0-9]” rather than “url.”.

• Unescaped dots in a larger regular expression can be especially problematic and should be avoided. For example, “Four score and seven years ago our fathers brought forth on this continent, a new nation, conceived in Liberty, and dedicated to the proposition that

all men are created .qual” may cause a failure. Replacing the dot in “.qual” with the literal “equal” should resolve the problem.

Also, an unescaped dot in a pattern that will return more than 63 characters after the dot will be disabled by the pattern-matching engine. Correct or replace the pattern.

• You cannot use “.*” to begin or end a regular expression. You also cannot use “./” in a regular expression intended to match a URL, nor can you end such an expression with a dot.

• Combinations of wildcards and bracket expressions can cause problems. Eliminate as many combinations as possible. For example, “id:[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}\) Gecko/20100101 Firefox/9\.0\.1\$” may cause a failure, while “Gecko/20100101 Firefox/9\.0\.1\$” will not. The latter expression does not include any wildcards or bracketed expressions, and both expressions use only escaped dots.

When wildcards and bracketed expressions cannot be eliminated, try to reduce the expression’s size and complexity. For example, “[0-9a-z]{64}” may cause a failure. Changing it to something smaller or less complex, such as “[0-9]{64}” or “[0-9a-z]{40}” may resolve the problem.

If a failure occurs, try to resolve it by applying the previous rules to the wildcard (such as *, + and .) and bracketed expressions.



Regular Expression Character Table

Meta-character Description

. Matches any single character, except the newline character (0x0A). For example, the regular expression r.t matches the strings rat, rut, r t, but not root.

Be wary of using unescaped dots in long patterns, and especially in the middle of longer patterns. See Guidelines for Avoiding Validation Failures, page 9-23for more information.

* Matches zero or more occurrences of the character immediately preceding. For example, the regular expression .* means match any string of characters, and [0-9]* matches any string of digits.

Be wary of using this meta-character, especially in conjunction with the dot character. Any pattern containing an unescaped dot that returns more than 63 characters after the dot will be disabled. See Guidelines for Avoiding Validation Failures, page 9-23for more information.

\ The escape character; it means treat the following meta-character as an ordinary character. For example, \^ is used to match the caret character (^) rather than the beginning of a line. Similarly, the expression \. is used to match an actual dot rather than any single character.

^ Matches the beginning of a line. For example, the regular expression ^When in matches the beginning of the string “When in the course of human events” but not the string “What and when in the”.

$ Matches the end of a line or string. For example, b$\. matches any line or string that ends with “b.”

+ Matches one or more occurrences of the character or regular expression immediately preceding. For example, the regular expression 9+ matches 9, 99, and 999.

? Matches zero or one occurrence of the preceding pattern element. For example, colou?r matches both “colour” and “color” since the “u” is optional.

( ) Treat the expression between the left and right parens as a group, limiting the scope of other meta-characters. For example, (abc)+ matches one or more occurrences of the string “abc”; such as, “abcabcabc” or “abc123” but not “abab” or “ab123”.

| Logical OR: matches the preceding pattern or the following pattern. For example (him|her) matches the line “it belongs to him” and the line “it belongs to her” but does not match the line “it belongs to them.”

[ ] Matches any one of the characters between the brackets. For example, the regular expression r[aou]t matches “rat”, “rot”, and “rut”, but not “ret”.

Ranges of characters are specified by a beginning character, a hyphen, and an ending character. For example, the pattern [0-9] means match any digit. Multiple ranges can be specified as well. The pattern [A-Za-z] means match any upper- or lower-case letter. To match any character except those in the range (that is, the complementary range), use a caret as the first character after the opening bracket. For example, the expression [^269A-Z] matches any characters except 2, 6, 9, and uppercase letters.


Chapter 9 Classify URLs for Policy Application URL Category Descriptions

URL Category DescriptionsThis section lists the URL categories for Cisco Web Usage Controls. The tables also include the abbreviated URL category names that may appear in the Web Reputation filtering and anti-malware scanning section of an access log file entry.

Note In the access logs, the URL category abbreviations for Cisco Web Usage Controls include the prefix “IW_” before each abbreviation so that the “art” category becomes “IW_art.”

{ } Specifies the number of times to match the previous pattern.

For example:

D{1,3} matches one to three occurrences of the letter D

Matches a specific number {n} or a minimum number {n,} of instances of the preceding pattern. For example, the expression A[0-9]{3} matches “A” followed by exactly three digits. That is, it matches “A123” but not “A1234”. The expression [0-9]{4,} matches any sequence of four or more digits.

“...” Literally interpret any characters enclosed within the quotation marks.

Meta-character Description

URL Category Abbrevia-tion Code Description Example URLs

Adult adlt 1006 Directed at adults, but not necessarily pornographic. May include adult clubs (strip clubs, swingers clubs, escort services, strippers); general information about sex, non-pornographic in nature; genital piercing; adult products or greeting cards; information about sex not in the context of health or disease.

www.adultentertainmentexpo.com

www.adultnetline.com

Advertisements adv 1027 Banner and pop-up advertisements that often accompany a web page; other advertising websites that provide advertisement content. Advertising services and sales are classified as “Business and Industry.”

www.adforce.com

www.doubleclick.com

Alcohol alc 1077 Alcohol as a pleasurable activity; beer and wine making, cocktail recipes; liquor sellers, wineries, vineyards, breweries, alcohol distributors. Alcohol addiction is classified as “Health and Nutrition.” Bars and restaurants are classified as “Dining and Drinking.”

www.samueladams.com

www.whisky.com



Arts art 1002 Galleries and exhibitions; artists and art; photography; literature and books; performing arts and theater; musicals; ballet; museums; design; architecture. Cinema and television are classified as “Entertainment.”

www.moma.org

www.nga.gov

Astrology astr 1074 Astrology; horoscope; fortune telling; numerology; psychic advice; tarot.

www.astro.com

www.astrology.com

Auctions auct 1088 Online and offline auctions, auction houses, and classified advertisements.

www.craigslist.com

www.ebay.com

Business and Industry

busi 1019 Marketing, commerce, corporations, business practices, workforce, human resources, transportation, payroll, security and venture capital; office supplies; industrial equipment (process equipment), machines and mechanical systems; heating equipment, cooling equipment; materials handling equipment; packaging equipment; manufacturing: solids handling, metal fabrication, construction and building; passenger transportation; commerce; industrial design; construction, building materials; shipping and freight (freight services, trucking, freight forwarders, truckload carriers, freight and transportation brokers, expedited services, load and freight matching, track and trace, rail shipping, ocean shipping, road feeder services, moving and storage).

www.freightcenter.com

www.staples.com

Chat and Instant Messaging

chat 1040 Web-based instant messaging and chat rooms. www.icq.com

www.meebo.com

Cheating and Plagiarism

plag 1051 Promoting cheating and selling written work, such as term papers, for plagiarism.

www.bestessays.com

www.superiorpapers.com

Child Abuse Content

cprn 1064 Worldwide illegal child sexual abuse content. —

Computer Security csec 1065 Offering security products and services for corporate and home users.

www.computersecurity.com

www.symantec.com

Computers and Internet

comp 1003 Information about computers and software, such as hardware, software, software support; information for software engineers, programming and networking; website design; the web and Internet in general; computer science; computer graphics and clipart. “Freeware and Shareware” is a separate category.

www.xml.com

www.w3.org

Dating date 1055 Dating, online personals, matrimonial agencies. www.eharmony.com

www.match.com




Digital Postcards card 1082 Enabling sending of digital postcards and e-cards. www.all-yours.net

www.delivr.net

Dining and Drinking

food 1061 Eating and drinking establishments; restaurants, bars, taverns, and pubs; restaurant guides and reviews.

www.hideawaybrewpub.com

www.restaurantrow.com

DIY Projects diy 1097 Guidance and information to create, improve, modify, decorate and repair objects, articles, without the aid of experts or professionals.

www.familyhandyman.com

www.diy-tips.co.uk

Dynamic and Residential

dyn 1091 IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.

http://109.60.192.55

http://dynalink.co.jp

http://ipadsl.net

Education edu 1001 Education-related, such as schools, colleges, universities, teaching materials, and teachers’ resources; technical and vocational training; online training; education issues and policies; financial aid; school funding; standards and testing.

www.education.com

www.greatschools.org

Entertainment ent 1093 Details or discussion of films; music and bands; television; celebrities and fan websites; entertainment news; celebrity gossip; entertainment venues. Compare with the “Arts” category.

www.eonline.com

www.ew.com

Extreme extr 1075 Material of a sexually violent or criminal nature; violence and violent behavior; tasteless, often gory photographs, such as autopsy photos; photos of crime scenes, crime and accident victims; excessive obscene material; shock websites.

www.car-accidents.com

www.crime-scene-photos.com

Fashion fash 1076 Clothing and fashion; hair salons; cosmetics; accessories; jewelry; perfume; pictures and text relating to body modification; tattoos and piercing; modeling agencies. Dermatological products are classified as “Health and Nutrition.”

www.fashion.net

www.findabeautysalon.com

File Transfer Services

fts 1071 File transfer services with the primary purpose of providing download services and hosted file sharing

www.rapidshare.com

www.yousendit.com

Filter Avoidance filt 1025 Promoting and aiding undetectable and anonymous web usage, including cgi, php and glype anonymous proxy services.

www.bypassschoolfilter.com

www.filterbypass.com

Finance fnnc 1015 Primarily financial in nature, such as accounting practices and accountants, taxation, taxes, banking, insurance, investing, the national economy, personal finance involving insurance of all types, credit cards, retirement and estate planning, loans, mortgages. Stock and shares are classified as “Online Trading.”

finance.yahoo.com

www.bankofamerica.com

Freeware and Shareware

free 1068 Providing downloads of free and shareware software.

www.freewarehome.com

www.shareware.com




Gambling gamb 1049 Casinos and online gambling; bookmakers and odds; gambling advice; competitive racing in a gambling context; sports booking; sports gambling; services for spread betting on stocks and shares. Websites dealing with gambling addiction are classified as “Health and Nutrition.” Government-run lotteries are classified as “Lotteries”.

www.888.com

www.gambling.com

Games game 1007 Various card games, board games, word games, and video games; combat games; sports games; downloadable games; game reviews; cheat sheets; computer games and Internet games, such as role-playing games.

www.games.com

www.shockwave.com

Government and Law

gov 1011 Government websites; foreign relations; news and information relating to government and elections; information relating to the field of law, such as attorneys, law firms, law publications, legal reference material, courts, dockets, and legal associations; legislation and court decisions; civil rights issues; immigration; patents and copyrights; information relating to law enforcement and correctional systems; crime reporting, law enforcement, and crime statistics; military, such as the armed forces, military bases, military organizations; anti-terrorism.

www.usa.gov

www.law.com

Hacking hack 1050 Discussing ways to bypass the security of websites, software, and computers.

www.hackthissite.org

www.gohacking.com

Hate Speech hate 1016 Websites promoting hatred, intolerance, or discrimination on the basis of social group, color, religion, sexual orientation, disability, class, ethnicity, nationality, age, gender, gender identity; sites promoting racism; sexism; racist theology; hate music; neo-Nazi organizations; supremacism; Holocaust denial.

www.kkk.com

www.nazi.org

Health and Nutrition

hlth 1009 Health care; diseases and disabilities; medical care; hospitals; doctors; medicinal drugs; mental health; psychiatry; pharmacology; exercise and fitness; physical disabilities; vitamins and supplements; sex in the context of health (disease and health care); tobacco use, alcohol use, drug use, and gambling in the context of health (disease and health care); food in general; food and beverage; cooking and recipes; food and nutrition, health, and dieting; cooking, including recipe and culinary websites; alternative medicine.

www.health.com

www.webmd.com

Humor lol 1079 Jokes, sketches, comics and other humorous content. Adult humor likely to offend is classified as “Adult.”

www.humor.com

www.jokes.com




Hunting hunt 1098 Professional or sport hunting, gun clubs, and other hunting related sites.

www.africanskyhunting.co.za

www.gillsprimitivearchery.com

Illegal Activities ilac 1022 Promoting crime, such as stealing, fraud, illegally accessing telephone networks; computer viruses; terrorism, bombs, and anarchy; websites depicting murder and suicide as well as explaining ways to commit them.

www.ekran.no

www.thedisease.net

Illegal Downloads ildl 1084 Providing the ability to download software or other materials, serial numbers, key generators, and tools for bypassing software protection in violation of copyright agreements. Torrents are classified as “Peer File Transfer.”

www.keygenguru.com

www.zcrack.com

Illegal Drugs drug 1047 Information about recreational drugs, drug paraphernalia, drug purchase and manufacture.

www.cocaine.org

www.hightimes.com

Infrastructure and Content Delivery Networks

infr 1018 Content delivery infrastructure and dynamically generated content; websites that cannot be classified more specifically because they are secured or otherwise difficult to classify.

www.akamai.net

www.webstat.net

Internet Telephony voip 1067 Telephonic services using the Internet. www.evaphone.com

www.skype.com

Job Search job 1004 Career advice; resume writing and interviewing skills; job placement services; job databanks; permanent and temporary employment agencies; employer websites.

www.careerbuilder.com

www.monster.com

Lingerie and Swimsuits

ling 1031 Intimate apparel and swimwear, especially when modeled.

www.swimsuits.com

www.victoriassecret.com

Lotteries lotr 1034 Sweepstakes, contests and state-sponsored lotteries. www.calottery.com

www.flalottery.com

Military mil 1099 Military, armed forces, military bases, military organizations, anti-terrorism.

www.goarmy.com

www.raf.mod.uk

Mobile Phones cell 1070 Short Message Services (SMS); ringtones and mobile phone downloads. Cellular carrier websites are included in the “Business and Industry” category.

www.cbfsms.com

www.zedge.net




Nature natr 1013 Natural resources; ecology and conservation; forests; wilderness; plants; flowers; forest conservation; forest, wilderness, and forestry practices; forest management (reforestation, forest protection, conservation, harvesting, forest health, thinning, and prescribed burning); agricultural practices (agriculture, gardening, horticulture, landscaping, planting, weed control, irrigation, pruning, and harvesting); pollution issues (air quality, hazardous waste, pollution prevention, recycling, waste management, water quality, and the environmental cleanup industry); animals, pets, livestock, and zoology; biology; botany.

www.enature.com

www.nature.org

News news 1058 News; headlines; newspapers; television stations; magazines; weather; ski conditions.

www.cnn.com

news.bbc.co.uk

Non-Governmental Organizations

ngo 1087 Non-governmental organizations such as clubs, lobbies, communities, non-profit organizations and labor unions.

www.panda.org

www.unions.org

Non-Sexual Nudity nsn 1060 Nudism and nudity; naturism; nudist camps; artistic nudes.

www.artenuda.com

www.naturistsociety.com

Online Communities

comm 1024 Affinity groups; special interest groups; web newsgroups; message boards. Excludes websites classified as “Professional Networking” or “Social Networking.”

www.igda.org

www.ieee.org

Online Meetings meet 1100 Online meetings, desktop sharing, remote access, and other tools that facilitate multi-location collaboration.

www.webex.com

www.gotomeeting.com

Online Storage and Backup

osb 1066 Offsite and peer-to-peer storage for backup, sharing, and hosting.

www.adrive.com

www.dropbox.com

Online Trading trad 1028 Online brokerages; websites that enable the user to trade stocks online; information relating to the stock market, stocks, bonds, mutual funds, brokers, stock analysis and commentary, stock screens, stock charts, IPOs, stock splits. Services for spread betting on stocks and shares are classified as “Gambling.” Other financial services are classified as “Finance.”

www.tdameritrade.com

www.scottrade.com

Organizational Email

pem 1085 Websites used to access business email (often via Outlook Web Access).

—

Paranormal prnm 1101 UFOs, ghosts, cryptid, telekinesis, urban legends, and myths.

www.phantomsandmonsters.com

www.cryptozoology.com




Parked Domains park 1092 Websites that monetize traffic from the domain using paid listings from an ad network, or are owned by “squatters” hoping to sell the domain name for a profit. These also include fake search websites which return paid ad links.

www.domainzaar.com

www.parked.com

Peer File Transfer p2p 1056 Peer-to-peer file request websites. This does not track the file transfers themselves.

www.bittorrent.com

www.limewire.com

Personal Sites pers 1081 Websites about and from private individuals; personal homepage servers; websites with personal contents; personal blogs with no particular theme.

www.karymullis.com

www.stallman.org

Personal VPN pvpn 1102 Virtual Private Network (VPN) sites, or tools that are usually for personal use, which may or may not have been approved for corporate use.

www.bartvpn.com

www.hotspotshield.com

Photo Searches and Images

img 1090 Facilitating the storing and searching for, images, photographs, and clip-art.

www.flickr.com

www.photobucket.com

Politics pol 1083 Websites of politicians; political parties; news and information on politics, elections, democracy, and voting.

www.politics.com

www.thisnation.com

Pornography porn 1054 Sexually explicit text or depictions. Includes explicit anime and cartoons; general explicit depictions; other fetish material; explicit chat rooms; sex simulators; strip poker; adult movies; lewd art; web-based explicit email.

www.redtube.com

www.youporn.com

Professional Networking

pnet 1089 Social networking for the purpose of career or professional development. See also “Social Networking.”

www.linkedin.com

www.europeanpwn.net

Real Estate rest 1045 Information that would support the search for real estate; office and commercial space; real estate listings, such as rentals, apartments, and homes; house building.

www.realtor.com

www.zillow.com

Reference ref 1017 City and state guides; maps, time; reference sources; dictionaries; libraries.

www.wikipedia.org

www.yellowpages.com

Religion rel 1086 Religious content, information about religions; religious communities.

www.religionfacts.com

www.religioustolerance.org

and B2B saas 1080 Web portals for online business services; online meetings.

www.netsuite.com

www.salesforce.com

Safe for Kids kids 1057 Directed at, and specifically approved for, young children.

kids.discovery.com

www.nickjr.com




Science and Technology

sci 1012 Science and technology, such as aerospace, electronics, engineering, mathematics, and other similar subjects; space exploration; meteorology; geography; environment; energy (fossil, nuclear, renewable); communications (telephones, telecommunications).

www.physorg.com

www.science.gov

Search Engines and Portals

srch 1020 Search engines and other initial points of access to information on the Internet.

www.bing.com

www.google.com

Sex Education sxed 1052 Factual websites dealing with sex; sexual health; contraception; pregnancy.

www.avert.org

www.scarleteen.com

Shopping shop 1005 Bartering; online purchasing; coupons and free offers; general office supplies; online catalogs; online malls.

www.amazon.com

www.shopping.com

Social Networking snet 1069 Social networking. See also “Professional Networking.”

www.facebook.com

www.twitter.com

Social Science socs 1014 Sciences and history related to society; archaeology; anthropology; cultural studies; history; linguistics; geography; philosophy; psychology; women's studies.

www.archaeology.org

www.anthropology.net

Society and Culture

scty 1010 Family and relationships; ethnicity; social organizations; genealogy; seniors; child-care.

www.childcare.gov

www.familysearch.org

Software Updates swup 1053 Websites that host updates for software packages. www.softwarepatch.com

www.versiontracker.com

Sports and Recreation

sprt 1008 All sports, professional and amateur; recreational activities; fishing; fantasy sports; public parks; amusement parks; water parks; theme parks; zoos and aquariums; spas.

www.espn.com

www.recreation.gov

Streaming Audio aud 1073 Real-time streaming audio content including Internet radio and audio feeds.

www.live-radio.net

www.shoutcast.com

Streaming Video vid 1072 Real-time streaming video including Internet television, web casts, and video sharing.

www.hulu.com

www.youtube.com

Tobacco tob 1078 Pro-tobacco websites; tobacco manufacturers; pipes and smoking products (not marketed for illegal drug use). Tobacco addiction is classified as “Health and Nutrition.”

www.bat.com

www.tobacco.org

Transportation trns 1044 Personal transportation; information about cars and motorcycles; shopping for new and used cars and motorcycles; car clubs; boats, airplanes, recreational vehicles (RVs), and other similar items. Note, car and motorcycle racing is classified as “Sports and Recreation.”

www.cars.com

www.motorcycles.com




Related Topics

• Managing Updates to the Set of URL Categories, page 9-4

• Reporting Uncategorized and Misclassified URLs, page 9-3

Travel trvl 1046 Business and personal travel; travel information; travel resources; travel agents; vacation packages; cruises; lodging and accommodation; travel transportation; flight booking; airfares; car rental; vacation homes.

www.expedia.com

www.lonelyplanet.com

Unclassified — — Websites which are not in the Cisco database are recorded as unclassified for reporting purposes. This may include mistyped URLs.

—

Weapons weap 1036 Information relating to the purchase or use of conventional weapons such as gun sellers, gun auctions, gun classified ads, gun accessories, gun shows, and gun training; general information about guns; other weapons and graphic hunting sites may be included. Government military websites are classified as “Government and Law.”

www.coldsteel.com

www.gunbroker.com

Web Hosting whst 1037 Website hosting; bandwidth services. www.bluehost.com

www.godaddy.com

Web Page Translation

tran 1063 Translation of web pages between languages. babelfish.yahoo.com

translate.google.com

Web-Based Email mail 1038 Public web-based email services. Websites enabling individuals to access their company or organization’s email service are classified as “Organizational Email.”

mail.yahoo.com

www.hotmail.com




C H A P T E R


10Create Policies to Control Internet Requests

• Overview of Policies: Control Intercepted Internet Requests, page 10-1

• Managing Web Requests Through Policies Task Overview, page 10-3

• Managing Web Requests Through Policies Best Practices, page 10-3

• Policies, page 10-3

• Policy Configuration, page 10-10

• Block, Allow, or Redirect Transaction Requests, page 10-14

• Client Applications, page 10-14

• Time Ranges and Quotas, page 10-16

• Access Control by URL Category, page 10-19

• Remote Users, page 10-20

• Troubleshooting Policies, page 10-23

Overview of Policies: Control Intercepted Internet RequestsWhen the user creates a web request the configured Web Security Appliance intercepts the requests and manages the process of which the request travels to get to its final outcome, be that accessing a particular web site, an email or even accessing an online application. In configuring the Web Security Appliance policies are created to define the criteria and actions of requests made by the user.

Policies are the means by which the Web Security Appliance identifies and controls web requests. When a client sends a web request to a server, the Web Proxy receives the request, evaluates it, and determines to which policy it belongs. Actions defined in the policy are then applied to the request.

The Web Security Appliance uses multiple policy types to manage different aspects of web requests. Policy types might fully manage transactions by themselves or pass transactions along to other policy types for additional processing. Policy types can be groups by the functions they perform, such as access, routing, or security.

AsyncOS evaluates transactions based on policies before it evaluates external dependencies to avoid unnecessary external communication from the appliance. For example, if a transaction is blocked based on a policy that blocks uncategorized URLs, the transaction will not also fail based on a DNS error.


Chapter 10 Create Policies to Control Internet Requests Overview of Policies: Control Intercepted Internet Requests

Intercepted HTTP/HTTPS Request ProcessingThe following diagram depicts the flow of an intercepted Web request as it is processed by the appliance.

Figure 10-1 HTTP/HTTPS Transaction Flow

Also see the following diagrams depicting various transaction processing flows:

• Identification Profiles and Authentication Processing – No Surrogates and IP-based Surrogates

• Identification Profiles and Authentication Processing – Cookie-based Surrogates

• Policy Group Transaction Flow for Access Policies

• Applying Access Policy Actions

• Policy Group Transaction Flow for Decryption Policies

• Applying Decryption Policy Actions

• Policy Group Transaction Flow for Decryption Policies


Chapter 10 Create Policies to Control Internet Requests Managing Web Requests Through Policies Task Overview

Managing Web Requests Through Policies Task Overview

Managing Web Requests Through Policies Best Practices• If you want to use Active Directory user objects to manage web requests, do not use primary groups

as criteria. Active Directory user objects do not contain the primary group.

Policies• Policy Types, page 10-4

• Policy Order, page 10-6


StepTask List for Managing Web Requests through Policies Links to Related Topics and Procedures

1 Set up and sequence Authentication Realms Authentication Realms, page 5-10

2 (For upstream proxies) Create a proxy group. Creating Proxy Groups for Upstream Proxies, page 2-16

2 (Optional) Create Custom Client Applications Client Applications, page 10-14

3 (Optional) Create Custom URL Categories Creating and Editing Custom URL Categories, page 9-14

4 Create Identification Profiles Classifying Users and Client Software, page 6-3

5 (Optional) Create time ranges to Limit Access by Time of Day

Time Ranges and Quotas, page 10-16

6 Create and Order Policies • Creating a Policy, page 10-7

• Policy Order, page 10-6


Chapter 10 Create Policies to Control Internet Requests Policies

Policy Types

Policy Type Request Type Description Link to task

Access • HTTP

• Decrypted HTTPS

• FTP

Block, allow or redirect inbound HTTP, FTP, and decrypted HTTPS traffic.

Access policies also manage inbound encrypted HTTPS traffic if the HTTPS proxy is disabled.

Creating a Policy, page 10-7

SOCKS • SOCKS Allow or block SOCKS communication requests.


Application Authentication

• application Allow or deny access to a Software as a Service (SaaS) application.

Use single sign-on to authenticate users and increase security by allowing access to applications to be quickly disabled.

To use the single sign-on feature of policies you must configure the Web Security appliance as an identity provider and upload or generate a certificate and key for SaaS.

Creating SaaS Application Authentication Policies, page 7-4

Encrypted HTTPS Management

• HTTPS Decrypt, pass through, or drop HTTPS connections.

AsyncOS passes decrypted traffic to Access policies for further processing.


Data Security • HTTP

• Decrypted HTTPS

• FTP

Manage data uploads to the web. Data Security policies scan outbound traffic to ensure it complies to company rules for data uploads, based on its destination and content. Unlike External DLP policies, which redirect outbound traffic to external servers for scanning, Data Security policies use the Web Security appliance to scan and evaluate traffic.


External DLP (Data Loss Prevention)

• HTTP

• Decrypted HTTPS

• FTP

Send outbound traffic to servers running 3rd-party DLP systems, which scan it for adherence to company rules for data uploads. Unlike Data Security policies, which also manage data uploads, External DLP policies move scanning work away from the Web Security appliance, which frees resources on the appliance and leverages any additional functionality offered by 3rd-party software.




Each policy type uses a policy table to store and manage its policies. Each policy table comes with a predefined, global policy, which maintains default actions for a policy type. Additional, user-defined policies are created and added to the policy table as required. Policies are processed in the order in which they are listed in the policy table.

Individual policies define the user-request types they manage, and the actions they perform on those requests. Each policy definition has two main sections:

• Identification Profiles and Users – Identification Profiles are used in policy membership criteria and are particularly important as they contain many options for identifying web transaction. They also share many properties with policies.

• Advanced – The criteria used to identify users to which the policy applies. One or more criteria can be specified in a policy, and all must be match for the criteria to be met.

– Protocols – Allow the transfer of data between various networking devices such as http, https, ftp, etc.

– Proxy Ports – the numbered port by which the request accesses the web proxy,

– Subnets – The logical grouping of connected network devices (such as geographic location or Local Area Network [LAN]), where the request originated

– Time Range – Time ranges can be created for use in policies to identify or apply actions to web requests based on the time or day the requests were made. The time ranges are created as individual units.

– URL Categories – URL categories are predefined or custom categories of websites, such as News, Business, Social Media, etc. These can be used to identify or apply actions to web requests.

– User Agents – These are the client applications (such as updaters and Web browsers) used to make requests. You can define policy criteria based on user agents, and you can specify control settings based on user agents. You can also exempt user agents from authentication, which is useful for applications that cannot prompt for credentials. You can define custom user agents but cannot re-use these definitions other policies.


• HTTP

• Decrypted HTTPS

• FTP

Block, monitor, or allow requests to upload data that may contain malicious data.

Prevent malware that is already present on your network from being transmitted to external networks.


Routing • HTTP

• HTTPS

• FTP

Direct web traffic through upstream proxies or direct it to destination servers. You might want to redirect traffic through upstream proxies to preserve your existing network design, to off-load processing from the Web Security appliance, or to leverage additional functionality provided by 3rd-party proxy systems.

If multiple upstream proxies are available, the Web Security appliance can use load balancing techniques to distribute data to them.


Policy Type Request Type Description Link to task



Note When you define multiple membership criteria, the client request must meet all criteria to match the policy.

Policy OrderThe order in which policies are listed in a policy table determines the priority with which they are applied to Web requests. Web requests are checked against policies beginning at the top of the table and ending at the first policy matched. Any policies below that point in the table are not processed.

If no user-defined policy is matched against a Web request, then the global policy for that policy type is applied. Global policies are always positioned last in Policy tables and cannot be re-ordered.

The following diagram depicts the flow of a client request through the Access policies table.

Figure 10-2 Policy Group Transaction Flow for Access Policies



Creating a Policy

Before You Begin

• Enable the appropriate proxy:

– Web Proxy (for HTTP, decrypted HTTPS, and FTP)

– HTTPS Proxy

– SOCKS Proxy

• Create associated Identification Profiles.

• Understand Policy Order, page 10-6.

• (Encrypted HTTPS only) Upload or generate a Certificate and Key.

• (Data Security only) Enable Cisco Data Security Filters Settings.

• (External DLP only) Define an External DLP server.

• (Routing only) Define the associated upstream proxy on the Web Security appliance.

• (Optional) Create associated client applications.

• (Optional) Create associated time ranges. See Time Ranges and Quotas.

• (Optional) Create associated URL categories. See Creating and Editing Custom URL Categories.

Step 1 In the Policy Settings section, use the Enable Identity check box to enable this policy, or to quickly disable it without deleting it.

Step 2 Assign a unique policy Name.

Step 3 A Description is optional.

Step 4 From the Insert Above drop-down list, choose where this policy is to appear in the table.

Note Arrange policies such that, from top to bottom of the table, they are in most-restrictive to least-restrictive order. See Policy Order, page 10-6 for more information.

Step 5 In the Policy Member Definition section, specify how user and group membership is defined: from the Identification Profiles and Users list, choose one of the following:

• All Identification Profiles – This policy will apply to all existing profiles. You must also define at least one Advanced option.

• Select One or More Identification Profiles – A table for specifying individual Identification Profiles appears, one profile-membership definition per row.

Step 6 If you chose All Identification Profiles:

a. Specify the authorized users and groups to which this policy applies by selecting one of the following options:

• All Authenticated Users – All users identified through authentication or transparent identification.

• Selected Groups and Users – Specified users and groups are used.

To add or edit the specified ISE Secure Group Tags (SGTs) and the specified Users, click the link following the appropriate label. For example, click the list of currently specified users to edit that list. See Adding and Editing Secure Group Tags for a Policy, page 10-10 for more information.



• Guests – Users connected as guests and those failing authentication.

• All Users – All clients, whether authenticated or not. If this option is selected, at least one Advanced option also must be provided.

Step 7 If you chose Select One or More Identification Profiles, a profile-selection table appears.

a. Choose an Identification Profile from the Select Identification Profile drop-down list in the Identification Profiles column.

b. Specify the Authorized Users and Groups to which this policy applies:

• All Authenticated Users – All users identified through authentication or transparent identification.

• Selected Groups and Users – Specified users and groups are used.

To add or edit the specified ISE Secure Group Tags (SGTs) and the specified Users, click the link following the appropriate label. For example, click the list of currently specified users to edit that list. See Adding and Editing Secure Group Tags for a Policy, page 10-10 for more information.

• Guests – Users connected as guests and those failing authentication.

c. To add a row to the profile-selection table, click Add Identification Profile. To delete a row, click the trash-can icon in that row.

Repeat steps (a) through (c) as necessary to add all desired Identification Profiles.



Step 8 Expand the Advanced section to define additional group membership criteria. (This step may be optional depending on selection in the Policy Member Definition section. Also, some of the following options will not be available, depending on the type of policy you are configuring.) .


Protocols Select the protocols to which this policy will apply. All others means any protocol not selected. If the associated identification profile applies to specific protocols, this policy applies to those same protocols.

Proxy Ports Applies this policy only to traffic using specific ports to access the web proxy. Enter one or more port numbers, separating multiple ports with commas.

For explicit forward connections, this is the port configured in the browser.

For transparent connections, this is the same as the destination port.

Note If the associated identification profile applies only to specific proxy ports, you cannot enter proxy ports here.

Subnets Applies this policy only to traffic on specific subnets. Select Specify subnets and enter the specific subnets, separated by commas.

Leave Use subnets from selected Identities selected if you do not want additional filtering by subnet.

Note If the associated identity applies to specific subnets, you can further restrict the application of this policy to a subset of the addresses to which the identity applies.

Time Range You can apply time ranges for policy membership:

• Time Range – Choose a previously defined time range (Time Ranges and Quotas, page 10-16).

• Match Time Range – Use this option to indicate whether this time range is inclusive or exclusive. In other words, whether to match only during the range specified, or at all times except those in the specified range.

URL Categories You can restrict policy membership by specific destinations (URLs) and by categories of URLs. Select all desired custom and predefined categories. See Creating and Editing Custom URL Categories, page 9-14 for information about custom categories.

User Agents You can select specific user agents, and define custom agents using regular expressions, as part of membership definition for this policy.

• Common User Agents

– Browsers – Expand this section to select various Web browsers.

– Others – Expand this section to select specific non-browser agents such as application updaters.

• Custom User Agents – You can enter one or more regular expressions, one per line, to define custom user agents.

• Match User Agents – Use this option to indicate whether these user-agent specifications are inclusive or exclusive. In other words, whether membership definition includes only the selected user agents, or specifically excludes the selected user agents.


Chapter 10 Create Policies to Control Internet Requests Policy Configuration

Adding and Editing Secure Group Tags for a Policy

To change the list of Secure Group Tags (SGTs) assigned to a particular Identification Profile in a policy, click the link following the ISE Secure Group Tags label in the Selected Groups and Users list on the Add/Edit Policy page. (See Creating a Policy, page 10-7.) This link is either “No tags entered,” or it is a list of currently assigned tags. The link opens the Add/Edit Secure Group Tags page.

All SGTs currently assigned to this policy are listed in the Authorized Secure Group Tags section. All SGTs available from the connected ISE server are listed in the Secure Group Tag Search section.

Step 1 To add one or more SGTs to the Authorized Secure Group Tags list, select the desired entries in the Secure Group Tag Search section, and then click Add.

The SGTs already added, are highlighted in green. To quickly find a specific SGT in the list of those available, enter a text string in the Search field.

Step 2 To remove one or more SGTs from the Authorized Secure Group Tags list, select those entries and then click Delete.

Step 3 Click Done to return to the Add/Edit Group page.

Related Topics

• Time Ranges and Quotas

• Using Client Applications in Policies

Policy ConfigurationEach row in a table of policies represents a policy definition, and each column displays current contains a link to a configuration page for that element of the policy.

Note Of the following policy-configuration components, you can specify the “Warn” option only with URL Filtering.



Option Description

Protocols and User Agents

Used to control policy access to protocols and configure blocking for particular client applications, such as instant messaging clients, web browsers, and Internet phone services. You can also configure the appliance to tunnel HTTP CONNECT requests on specific ports. With tunneling enabled, the appliance passes HTTP traffic through specified ports without evaluating it.

URL Filtering AsyncOS for Web allows you to configure how the appliance handles a transaction based on the URL category of a particular HTTP or HTTPS request. Using a predefined category list, you can choose to block, monitor, warn, or set quota-based or time-based filters.

You can also create custom URL categories and then choose to block, redirect, allow, monitor, warn, or apply quota-based or time-based filters for Websites in the custom categories. See Creating and Editing Custom URL Categories, page 9-14 for information about creating custom URL categories.

In addition, you can add exceptions to blocking of embedded or referred content.

Applications The Application Visibility and Control engine (AVC) engine is an Acceptable Use policy component that inspects Web traffic to gain deeper understanding and control of Web traffic used for applications. The appliance allows the Web Proxy to be configured to block or allow applications by Application Types, and by individual applications. You can also apply controls to particular application behaviors, such as file transfers, within a particular application. See Managing Access to Web Applications, page 15-1 for configuration information.



The following diagram shows how the Web Proxy determines which action to take on a request after it has assigned a particular Access Policy to the request. The Web reputation score of the destination server is evaluated only once, but the result is applied at two different points in the decision flow.

Objects Allows the Web Proxy to be configured to block file downloads based on file characteristics, such as file size and file type. An object is, generally, any item that can be individually selected, uploaded, downloaded and manipulated, such as:

• Application: pdf, xml, zip, exe

• Text: cmd, csv, html, javascript

• Image: gif, jpeg, png, tiff

• Video: mp4, Quicktime, avi, wmv

• Audio: mp4, wav, webm, mpeg

• Message: http, xml, rfc822, partial

• x-world: wrl, wrz, xof, 3dmf

Note Object blocking does not inspect inside compressed files.


Web reputation filters allow for a web-based reputation score to be assigned to a URL to determine the probability of it containing URL-based malware. Anti-malware scanning identifies and stops web-based malware threats. Advanced Malware Protection identifies malware in downloaded files.

The Anti-Malware and Reputation policy inherits global settings respective to each component. Within Security Services > Anti-Malware and Reputation, malware categories can be customized to monitor or block based on malware scanning verdicts and web reputation score thresholds can be customized. Malware categories can be further customized within a policy. There are also global settings for file reputation and analysis services.

For more information, see Anti-Malware and Reputation Settings in Access Policies, page 13-9 and Configuring File Reputation and Analysis Features, page 14-5.

Option Description



Figure 10-3 Applying Access Policy Actions


Chapter 10 Create Policies to Control Internet Requests Block, Allow, or Redirect Transaction Requests

Block, Allow, or Redirect Transaction RequestsThe web proxy controls web traffic based on the policies that you create for groups of transaction requests.

• Allow. The Web Proxy permits the connection without interruption. Allowed connections may not have been scanned by the DVS engine.

• Block. The Web Proxy does not permit the connection and instead displays an end user notification page explaining the reason for the block.

• Redirect. The Web Proxy does not allow the connection to the originally requested destination server and instead connects to a different specified URL, see Redirecting Traffic in the Access Policies.

Note The preceding actions are final actions that the Web Proxy takes on a client request. The Monitor action that you can configure for Access Policies is not a final action.

Generally, different types of policies control traffic based on the transport protocol.

Note Decryption policy takes precedence over Access policy.

Client Applications

About Client Applications

Client Applications (such as a web browser) are used to make requests. You can define policy membership based on client applications, and you can specify control settings and exempt client applications from authentication, which is useful for applications that cannot prompt for credentials.

Policy Type Protocols Actions Supported

HTTP HTTPS FTP SOCKS Block Allow Redirect Monitor

Access x x x x x x x

SOCKS x x x

SAAS x x

Decryption x x x

Data Security x x x x x

External DLP x x x x


x x x x x

Routing x x x x


Chapter 10 Create Policies to Control Internet Requests Client Applications

Using Client Applications in Policies

Defining Policy Membership Using Client Applications


Step 2 Click a policy name in the policies table.

Step 3 Expand the Advanced section and click the link in the Client Applications field.

Step 4 Define one or more of the client applications:

Step 5 (Optional) Click the Match All Except The Selected Client Applications Definitions radio button to base the policy membership on all client applications except those you have defined.

Step 6 Click Done.

Defining Policy Control Settings Using Client Applications


Step 2 Find the required policy name in the policies table.

Step 3 Click the cell link in the Protocols and Client Applications column on the same row.

Step 4 Choose Define Custom Settings from the drop-down list in the Edit Protocols and Client Applications Settings pane (if not already set).

Step 5 Enter a regular expression in the Custom Client Applications field that matches the client application you wish to define. Enter additional regular expressions on new lines as required.

Tip Click Example Client Application Patterns for examples of regular expressions.


Option Method

Choose a predefined client application

Expand the Browser and Other sections and check the required client application check boxes.

Tip Choose only the Any Version options when possible, as this provides better performance than having multiple selections.

Define a custom client application

Enter an appropriate regular expression in the Custom Client Applications field. Enter additional regular expressions on new lines as required.

Tip Click Example Client Applications Patterns for examples of regular expressions.


Chapter 10 Create Policies to Control Internet Requests Time Ranges and Quotas

Exempting Client Applications from Authentication

Time Ranges and QuotasYou can apply time ranges and time and volume quotas to access policies and decryption policies to restrict when a user has access, as well as their maximum connection time or data volume (also referred to as a “bandwidth quota”).

• Time Ranges for Policies and Acceptable Use Controls, page 10-16

• Time and Volume Quotas, page 10-17

Time Ranges for Policies and Acceptable Use ControlsTime ranges are defined periods of time during which policies and acceptable use controls apply.

Note You cannot use time ranges to define the times at which users must authenticate. Authentication requirements are defined in Identification Profiles, which do not support time ranges.

• Creating a Time Range, page 10-16

Creating a Time Range

Step 1 Choose Web Security Manager > Define Time Ranges and Quotas.

Step 2 Click Add Time Range.

Step 3 Enter a name for the time range.

Step 4 Choose a Time Zone option:

• Use Time Zone Setting From Appliance – Use the same time zone as the Web Security appliance.

• Specify Time Zone for this Time Range – Define a different time zone, either as a GMT Offset, or as a region, country and a specific time zone in that country.

Step 5 Check one or more Day of Week check boxes.

Step 6 Select a Time of Day option:

• All Day – Use the full 24-hour period.

Step Task Link

Step 1 Create an Identification Profile that does not require authentication.

Classifying Users and Client Software

Step 2 Set the Identification Profile membership as the client application to exempt.

Using Client Applications in Policies

Step 3 Place the Identification Profile above all other Identification Profiles in the policies table that require authentication.

Policy Order



• From and To – Define a specific range of hours: enter a start time and end time in HH:MM (24-hour format).

Tip Each time range defines a start time and an end-time boundary. For example, entering 8:00 through 17:00 matches 8:00:00 through 16:59:59, but not 17:00:00. Midnight must be specified as 00:00 for a start time, and as 24:00 for an end time.


Time and Volume QuotasQuotas allow individual users to continue accessing an Internet resource (or a class of Internet resources) until they exhaust the data volume or time limit imposed. AsyncOS enforces defined quotas on HTTP, HTTPS and FTP traffic.

As a user approaches either their time or volume quota, AsyncOS displays first a warning, and then a block page.

Please note the following regarding use of time and volume quotas:

• If AsyncOS is deployed in transparent mode and HTTPS proxy is disabled, there is no listening on port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit mode, you can set quotas in your access policies.

When HTTPS proxy is enabled, possible actions on a request are pass-through, decrypt, drop, or monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.

With pass-through, you will also have the option to set quotas for tunnel traffic. With decrypt, this option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.

• If URL Filtering is disabled or if its feature key is unavailable, AsyncOS cannot identify the category of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to be present, and Acceptable Use Policies enabled, to configure quotas..

• Many websites such as Facebook and Gmail auto-update at frequent intervals. If such a website is left open in an unused browser window or tab, it will continue to consume the user’s quota of time and volume.

• A proxy restart will cause quotas to be reset, potentially allowing much more access than planned. A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on. Some confusion is possible, as administrators are not explicitly informed about proxy restarts.

• Your EUN pages (both warning and block) cannot be displayed for HTTPS even when decrypt-for-EUN option is enabled.

Note The most restrictive quota will always apply when more than one quota applies to any given user.

• Volume Quota Calculations, page 10-18

• Time Quota Calculations, page 10-18

• Defining Time and Volume Quotas, page 10-18



Volume Quota Calculations

Calculation of volume quotas is as follows:

• HTTP and decrypted HTTPS traffic – The HTTP request and response body are counted toward quota limits. The request headers and response headers will not be counted toward the limits.

• Tunnel traffic (including tunneled HTTPS) – AsyncOS simply shuttles the tunneled traffic from the client to the server, and vice versa. The entire data volume of the tunnel traffic is counted toward quota limits.

• FTP – The control-connection traffic is not counted. The size of the file uploaded and downloaded is counted toward quota limits.

Note Only client-side traffic is counted toward quota limits. Cached content also counts toward the limit, as client-side traffic is generated even when a response is served from the cache.

Time Quota Calculations

Calculation of time quotas is as follows:

• HTTP and decrypted HTTPS traffic – The duration of each connection to the same URL category, from formation to disconnect, plus one minute, is counted toward the time quota limit. If multiple requests are made to the same URL category within one minute of each other, they are counted as one continuous session and the one minute is added only at the end of this session (that is, after at least one minute of “silence”).

• Tunnel traffic (including tunneled HTTPS) – The actual duration of the tunnel, from formation to disconnect, counts toward quota limits. The above calculation for multiple requests applies to tunneled traffic as well.

• FTP – The actual duration of the FTP control session, from formation to disconnect, counts toward quota limits. The above calculation for multiple requests applies to FTP traffic as well.

Defining Time and Volume Quotas

Before You Begin

• Go to Security Services > Acceptable Use Controls to enable Acceptable Use Controls.

• Define a time range unless you want the quota to apply as a daily limit. See Defining Time and Volume Quotas.

Step 1 Navigate to Web Security Manager > Define Time Ranges and Quotas.

Step 2 Click Add Quota.

Step 3 Enter a unique Quota Name in the field.

Step 4 To reset the quota every day, select Reset this quota daily at and enter a time in the 12-hour format in the field, then choose AM or PM from the menu. Alternatively, select Select a predefined time range profile.

Step 5 To set a time quota, select the Time Quota check box and choose the number of hours from the hrs menu and the number of minutes from the mins menu, from zero (always blocked) to 23 hours and 59 minutes.

Step 6 To set a volume quota enter a number in the field and choose KB (kilobytes), MB (megabytes), or GB (gigabytes) from the menu.


Chapter 10 Create Policies to Control Internet Requests Access Control by URL Category

Step 7 Click Submit and then click Commit Changes to apply your changes. Alternatively, click Cancel to abandon your changes.

What to Do Next

• (Optional) Navigate to Security Services > End-User Notification to configure end-user notifications for quotas.

Access Control by URL CategoryYou can identify and action Web requests based on the category of Website they address. The Web Security appliance ships with many predefined URL categories, such as Web-based Email and others.

Predefined categories, and the Websites associated with them, are defined within filtering databases that reside on the Web Security appliance. These databases are automatically kept up to date by Cisco. You can also create custom URL categories for host names and IP addresses that you specify.

URL categories can be used by all policies except policies to identify requests. They can also be used by Access, Encrypted HTTPS Management and Data Security policies to apply actions to requests.

See Creating and Editing Custom URL Categories, page 9-14 for information about creating custom URL categories.

Using URL Categories to Identify Web Requests

Before You Begin

• Enable Acceptable Use Control, see Configuring the URL Filtering Engine.

• (Optional) Create Custom URL Categories, see Creating and Editing Custom URL Categories, page 9-14.

Step 1 Choose a policy type (except SaaS) from the Web Security Manager menu.

Step 2 Click a policy name in the policies table (or add a new policy).

Step 3 Expand the Advanced section and click the link in the URL Categories field.

Step 4 Click the Add column cells corresponding to URL Categories you wish to identify web requests by. Do this for the Custom URL Categories and Predefined URL Categories lists as required.

Step 5 Click Done.


Using URL Categories to Action Web Request

Before You Begin

• Enable Acceptable Use Control, see Configuring the URL Filtering Engine.

• (Optional) Create Custom URL Categories, see Creating and Editing Custom URL Categories.


Chapter 10 Create Policies to Control Internet Requests Remote Users

Note If you have used URL categories as criteria within a policy then those categories alone are available to specify actions against within the same policy. Some of the options described below may differ or be unavailable because of this.

Step 1 Choose one of Access Policies, Cisco Data Security Policies, or Encrypted HTTPS Management from the Web Security Manager menu.

Step 2 Find the required policy name in the policies table.

Step 3 Click the cell link in the URL Filtering column on the same row.

Step 4 (Optional) Add custom URL categories:





Step 5 Choose an action for each custom and predefined URL category.

Note Available actions vary between custom and predefined categories and between policy types.

Step 6 In the Uncategorized URLs section, choose the action to take for client requests to web sites that do not fall into a predefined or custom URL category.


Remote Users• About Remote Users, page 10-20

• How to Configure Identification of Remote Users, page 10-21

• Display Remote User Status and Statistics for ASAs, page 10-22

About Remote UsersCisco AnyConnect Secure Mobility extends the network perimeter to remote endpoints, enabling the integration of web filtering services offered by the Web Security appliance.

Remote and mobile users use the Cisco AnyConnect Secure VPN (virtual private network)client to establish VPN sessions with the Adaptive Security Appliance (ASA). The ASA sends web traffic to the Web Security appliance along with information identifying the user by IP address and user name. The Web Security appliance scans the traffic, enforces acceptable use policies, and protects the user from security threats. The security appliance returns all traffic deemed safe and acceptable to the user.



When Secure Mobility is enabled, you can configure identities and policies to apply to users by their location:

• Remote users. These users are connected to the network from a remote location using VPN. The Web Security appliance automatically identifies remote users when both the Cisco ASA and Cisco AnyConnect client are used for VPN access. Otherwise, the Web Security appliance administrator must specify remote users by configuring a range of IP addresses.

• Local users. These users are connected to the network either physically or wirelessly.

When the Web Security appliance integrates with a Cisco ASA, you can configure it to identify users by an authenticated user name transparently to achieve single sign-on for remote users.

How to Configure Identification of Remote Users

Configuring Identification of Remote Users

Step 1 Security Services > AnyConnect Secure Mobility, and click Enable.

Step 2 Read the terms of the AnyConnect Secure Mobility License Agreement, and click Accept.

Task Further information

1. Configure identification of remote users. Configuring Identification of Remote Users, page 10-21

2. Create an identity for remote users. Classifying Users and Client Software, page 6-3

a. In the “Define Members by User Location” section, select Remote Users Only.

b. In the “Define Members by Authentication” section, select “Identify Users Transparently through Cisco ASA Integration.”

3. Create a policy for remote users. Creating a Policy, page 10-7



Step 3 Configure how to identify remote users.


Display Remote User Status and Statistics for ASAsUse this command to display information related to Secure Mobility when the Web Security appliance is integrated with an ASA.

Option Description Additional Steps

IP Address Specify a range of IP addresses that the appliance should consider as assigned to remote devices.

1. Enter a range of IP addresses in the IP Range field.

2. Go to step 4

Cisco ASA Integration

Specify one or more Cisco ASA the Web Security appliance communicates with. The Cisco ASA maintains an IP address-to-user mapping and communicates that information with the Web Security appliance. When the Web Proxy receives a transaction, it obtains the IP address and determines the user by checking the IP address-to-user mapping. When users are determined by integrating with a Cisco ASA, you can enable single sign-on for remote users.

1. Enter the Cisco ASA host name or IP address.

2. Enter the port number used to access the ASA. The default port number for the Cisco ASA is 11999.

3. If multiple Cisco ASA are configured in a cluster, click Add Row and configure each ASA in the cluster.

Note If two Cisco ASA are configured for high availability, enter only one host name or IP address for the active Cisco ASA.

4. Enter the access passphrase for the Cisco ASA.

Note The passphrase you enter here must match the access passphrase configured for the specified Cisco ASA.

5. Optional, click Start Test to verify the Web Security appliance can connect to the configured Cisco ASA.

Command Description

musstatus This command displays the following information:

• The status of the Web Security appliance connection with each ASA.

• The duration of the Web Security appliance connection with each ASA in minutes.

• The number of remote clients from each ASA.

• The number of remote clients being serviced, which is defined as the number of remote clients that have passed traffic through the Web Security appliance.

• The total number of remote clients.


Chapter 10 Create Policies to Control Internet Requests Troubleshooting Policies

Troubleshooting Policies• Access Policy not Configurable for HTTPS, page A-15

• Some Microsoft Office Files Not Blocked, page A-15

• Blocking DOS Executable Object Types Blocks Updates for Windows OneCare, page A-15

• Identification Profile Disappeared from Policy, page A-15

• Policy is Never Applied, page A-16


• User Matches Global Policy for HTTPS and FTP over HTTP Requests, page A-16

• User Assigned Incorrect Access Policy, page A-16

• Policy Troubleshooting Tool: Policy Trace, page A-17


Chapter 10 Create Policies to Control Internet Requests Troubleshooting Policies

C H A P T E R


11Create Decryption Policies to Control HTTPS Traffic

• Overview of Create Decryption Policies to Control HTTPS Traffic, page 11-1

• Managing HTTPS Traffic through Decryption Policies Best Practices, page 11-2

• Decryption Policies, page 11-2

• Root Certificates, page 11-8

• Routing HTTPS Traffic, page 11-14

Overview of Create Decryption Policies to Control HTTPS TrafficDecryption policies define the handling of HTTPS traffic within the web proxy:

• When to decrypt HTTPS traffic.

• How to handle requests that use invalid or revoked security certificates.

You can create decryption policies to handle HTTPS traffic in the following ways:

• Pass through encrypted traffic

• Decrypt traffic and apply the content-based access policies defined for HTTP traffic. This also makes malware scanning possible.

• Drop the HTTPS connection

• Monitor the request (take no final action) as the web proxy continues to evaluate the request against policies that may lead to a final drop, pass through, or decrypt action.

Caution Handle personally identifiable information with care: If you choose to decrypt an end-user’s HTTPS session, the Web Security appliance access logs and reports may contain personally identifiable information. The Administrator can configure how much URI text is stored in the logs using the advancedproxyconfig CLI command and the HTTPS subcommand. You can log the entire URI, or a partial form of the URI with the query portion removed. However, even when you choose to strip the query from the URI, personally identifiable information may still remain.


Chapter 11 Create Decryption Policies to Control HTTPS Traffic Managing HTTPS Traffic through Decryption Policies Best Practices

Managing HTTPS Traffic through Decryption Policies Task Overview

Managing HTTPS Traffic through Decryption Policies Best Practices

• Create fewer, more general Decryption Policy groups that apply to all users or fewer, larger groups of users on the network. Then, if you need to apply more granular control to decrypted HTTPS traffic, use more specific Access Policy groups.

Decryption Policies The appliance can perform any of the following actions on an HTTPS connection request:

StepTask List for Managing HTTPS Traffic through Decryption Policies Links to Related Topics and Procedures

1 Enabling the HTTPS proxy Enabling the HTTPS Proxy, page 11-4

2 Upload or Generate a certificate and key • Uploading a Root Certificate and Key, page 11-10

• Generating a Certificate and Key for the HTTPS Proxy, page 11-11

3 Configuring Decryption options Configuring Decryption Options, page 11-8

5 (Optional) Configure invalid certificate handling

Configuring Invalid Certificate Handling, page 11-11

6 (Optional) Enabling real-time revocation status checking

Enabling Real-Time Revocation Status Checking, page 11-13

7 (Optional) Manage trusted and blocked certificates

Trusted Root Certificates, page 11-13

Option Description

Monitor Monitor is an intermediary action that indicates the Web Proxy should continue evaluating the transaction against the other control settings to determine which final action to ultimately apply.

Drop The appliance drops the connection and does not pass the connection request to the server. The appliance does not notify the user that it dropped the connection.


Chapter 11 Create Decryption Policies to Control HTTPS Traffic Decryption Policies

All actions except Monitor are final actions the Web Proxy applies to a transaction. A final action is an action that causes the Web Proxy to stop evaluating the transaction against other control settings. For example, if a Decryption Policy is configured to monitor invalid server certificates, the Web Proxy makes no final decision on how to handle the HTTPS transaction if the server has an invalid certificate. If a Decryption Policy is configured to block servers with a low Web reputation score, then any request to a server with a low reputation score is dropped without considering the URL category actions.

The following diagram shows how the Web Proxy evaluates a client request against the Decryption Policy groups. Figure 11-2 on page 11-7 shows the order the Web Proxy uses when evaluating control settings for Decryption Policies. Figure 10-3 on page 10-13 shows the order the Web Proxy uses when evaluating control settings for Access Policies.

Pass through The appliance passes through the connection between the client and the server without inspecting the traffic content.

However, with a standard pass-through policy, the WSA does check the validity of the requested server by initiating an HTTPS handshake with the server. This validity check includes server certificate validation. If the server fails the check, the transaction is blocked.

You can skip validation checks for specific sites by configuring policies that incorporate custom categories which include these sites, thereby indicating that these sites are trustworthy—these sites are passed through without validity checks. Exercise care when configuring policies that allow validity checks to be skipped.

Decrypt The appliance allows the connection, but inspects the traffic content. It decrypts the traffic and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection. By decrypting the connection and applying Access Policies, you can scan the traffic for malware.

Option Description



Figure 11-1 Policy Group Transaction Flow for Decryption Policies

Enabling the HTTPS ProxyTo monitor and decrypt HTTPS traffic, you must enable the HTTPS Proxy. When you enable the HTTPS Proxy, you must configure what the appliance uses for a root certificate when it sends self-signed server certificates to the client applications on the network. You can upload a root certificate and key that your organization already has, or you can configure the appliance to generate a certificate and key with information you enter.

Once the HTTPS Proxy is enabled, all HTTPS policy decisions are handled by Decryption Policies. Also on this page, you can configure what the appliance does with HTTPS traffic when the server certificate is invalid.

Before You Begin

• When the HTTPS proxy is enabled, HTTPS-specific rules in access policies are disabled and the web proxy processes decrypted HTTPS traffic using rules for HTTP.



Step 1 Security Services > HTTPS Proxy, click Enable and Edit Settings.

The HTTPS Proxy License Agreement appears.

Step 2 Read the terms of the HTTPS Proxy License Agreement, and click Accept.

Step 3 Verify the Enable HTTPS Proxy field is enabled.

Step 4 In the HTTPS Ports to Proxy field, enter the ports the appliance should check for HTTPS traffic. Port 443 is the default port.

Note The maximum number of ports for which the Web Security appliance can serve as proxy is 30, which includes both HTTP and HTTPS.

Step 5 Upload or generate a root/signing certificate to use for decryption.

Note If the appliance has both an uploaded certificate and key pair and a generated certificate and key pair, it only uses the certificate and key pair currently selected in the Root Certificate for Signing section.

Step 6 In the HTTPS Transparent Request section, select one of the following options:

• Decrypt the HTTPS request and redirect for authentication

• Deny the HTTPS request

This setting only applies to transactions that use IP address as the authentication surrogate and when the user has not yet been authenticated.

Note This field only appears when the appliance is deployed in transparent mode.

Step 7 In the Applications that Use HTTPS section, choose whether to enable decryption for enhanced application visibility and control.

Note Decryption may cause some applications to fail unless the root certificate for signing is installed on the client. For more information on the appliance root certificate, see.


Related Topics

• Managing Certificate Validation and Decryption for HTTPS, page 11-9



Controlling HTTPS TrafficAfter the Web Security appliance assigns an HTTPS connection request to a Decryption Policy group, the connection request inherits the control settings of that policy group. The control settings of the Decryption Policy group determine whether the appliance decrypts, drops, or passes through the connection:

Option Description

URL Categories You can configure the action to take on HTTPS requests for each predefined and custom URL category. Click the link under the URL Filtering column for the policy group you want to configure.

Note If you want to block (with end-user notification) a particular URL category for HTTPS requests instead of drop (with no end-user notification), choose to decrypt that URL category in the Decryption Policy group and then choose to block the same URL category in the Access Policy group.

Web Reputation You can configure the action to take on HTTPS requests based on the web reputation score of the requested server. Click the link under the Web Reputation column for the policy group you want to configure.

Default Action You can configure the action the appliance should take when none of the other settings apply. Click the link under the Default Action column for the policy group you want to configure.

Note The configured default action only affects the transaction when no decision is made based on URL category or Web Reputation score. If Web Reputation filtering is disabled, the default action applies to all transactions that match a Monitor action in a URL category. If Web Reputation filtering is enabled, the default action is used only if the Monitor action is selected for sites with no score.



The following diagram shows how the appliance determines which action to take on an HTTPS request after it has assigned a particular Decryption Policy to the request. The Web reputation score of the destination server is evaluated only once, but the result is applied at two different points in the decision flow. For example, note that a Web reputation score Drop action overrides any action specified for predefined URL categories.

Figure 11-2 Applying Decryption Policy Actions


Chapter 11 Create Decryption Policies to Control HTTPS Traffic Root Certificates

Configuring Decryption Options

Before You Begin

• Verify that the HTTPS proxy is enabled as described in Enabling the HTTPS Proxy, page 11-4

Step 1 Security Services > HTTPS Proxy.


Step 3 Enable the decryption options.

Authentication and HTTPS ConnectionsAuthentication at the HTTPS connection layer is available for these types of requests:

Root CertificatesThe HTTPS proxy uses the root certificates and private key files that you upload to the appliance to decrypt traffic. The root certificate and private key files you upload to the appliance must be in PEM format; DER format is not supported.

You can enter root certificate information in the following ways:

• Generate. You can enter some basic organization information and then click a button so the appliance generates the rest of the certificate and a private key.

Decryption Option Description

Decrypt for Authentication

For users who have not been authenticated prior to this HTTPS transaction, allow decryption for authentication.

Decrypt for End-User Notification

Allow decryption so that AsyncOS can display the end-user notification.

Note If the certificate is invalid and invalid certificates are set to drop, when running a policy trace, the first logged action for the transaction will be “decrypt”.

Decrypt for End-User Acknowledgment

For users who have not acknowledged the web proxy prior to this HTTPS transaction, allow decryption so that AsyncOS can display the end-user acknowledgment.

Decrypt for Application Detection

Enhances the ability of AsyncOS to detect HTTPS applications.

Option Description

Explicit requests • secure client authentication disabled or

• secure client authentication enabled and an IP-based surrogate

Transparent requests

• IP-based surrogate, decryption for authentication enabled or

• IP-based surrogate, client previously authenticated using an HTTP request



• Upload. You can upload a certificate file and its matching private key file created outside of the appliance.

Note You can also upload an intermediate certificate that has been signed by a root certificate authority. When the Web Proxy mimics the server certificate, it sends the uploaded certificate along with the mimicked certificate to the client application. That way, as long as the intermediate certificate is signed by a root certificate authority that the client application trusts, the application will trust the mimicked server certificate, too. See About Certificates and Keys, page 22-25 for more information.

You can choose how to handle the root certificates issued by the Web Security appliance:

• Inform users to accept the root certificate. You can inform the users in your organization what the new policies are at the company and tell them to accept the root certificate supplied by the organization as a trusted source.

• Add the root certificate to client machines. You can add the root certificate to all client machines on the network as a trusted root certificate authority. This way, the client applications automatically accept transactions with the root certificate.



Step 3 Click the Download Certificate link for either the generated or uploaded certificate.

Note To reduce the possibility of client machines getting a certificate error, submit the changes after you generate or upload the root certificate to the Web Security appliance, then distribute the certificate to client machines, and then commit the changes to the appliance.

Managing Certificate Validation and Decryption for HTTPSThe Web Security appliance validates certificates before inspecting and decrypting content.

Valid Certificates

Qualities of a valid certificate:

• Not expired. The certificate’s validity period includes the current date.

• Recognized certificate authority. The issuing certificate authority is included in the list of trusted certificate authorities stored on the Web Security appliance.

• Valid signature. The digital signature was properly implemented based on cryptographic standards.

• Consistent naming. The common name matches the hostname specified in the HTTP header.

• Not revoked. The issuing certificate authority has not revoked the certificate.

Related Topics

• Managing Certificate Validation and Decryption for HTTPS, page 11-9

• Configuring Invalid Certificate Handling, page 11-11



• Options for Certificate Revocation Status Checking, page 11-12

• Enabling Real-Time Revocation Status Checking, page 11-13

Invalid Certificate Handling

The appliance can perform one of the following actions for invalid server certificates:

• Drop.

• Decrypt.

• Monitor.

Certificates that are Invalid for Multiple Reasons

For server certificates that are invalid due to both an unrecognized root authority and an expired certificate, the HTTPS proxy performs the action that applies to unrecognized root authorities.

In all other cases, for server certificates that are invalid for multiple reasons simultaneously, the HTTPS Proxy performs actions in order from the most restrictive action to the least restrictive action.

Untrusted Certificate Warnings for Decrypted Connections

When the Web Security appliance encounters an invalid certificate and is configured to decrypt the connection, AsyncOS creates an untrusted certificate that requires the end-user to accept or reject the connection. The common name of the certificate is “Untrusted Certificate Warning.”

Adding this untrusted certificate to the list of trusted certificates will remove the end user’s option to accept or reject the connection.

When AsyncOS generates one of these certificates, it creates a proxy log entry with the text “Signing untrusted key” or “Signing untrusted cert”.

Uploading a Root Certificate and Key

Before You Begin

• Enable the HTTPS Proxy. Enabling the HTTPS Proxy, page 11-4.



Step 3 Select Use Uploaded Certificate and Key.

Step 4 Click Browse for the Certificate field to navigate to the certificate file stored on the local machine.

If the file you upload contains multiple certificates or keys, the Web Proxy uses the first certificate or key in the file.

Step 5 Click Browse for the Key field to navigate to the private key file.

Note The key length must be 512, 1024, or 2048 bits.

Step 6 Select Key is Encrypted if the key is encrypted.

Step 7 Click Upload Files to transfer the certificate and key files to the Web Security appliance.



The uploaded certificate information is displayed on the Edit HTTPS Proxy Settings page.

Step 8 (Optional) Click Download Certificate so you can transfer it to the client applications on the network.

Generating a Certificate and Key for the HTTPS Proxy

Before You Begin

• Enable the HTTPS Proxy. Enabling the HTTPS Proxy, page 11-4.



Step 3 Select Use Generated Certificate and Key.

Step 4 Click Generate New Certificate and Key.

Step 5 In the Generate Certificate and Key dialog box, enter the information to display in the root certificate.

You can enter any ASCII character except the forward slash ( / ) in the Common Name field.

Step 6 Click Generate.

Step 7 The generated certificate information is displayed on the Edit HTTPS Proxy Settings page.

Step 8 (Optional) Click Download Certificate so you can transfer it to the client applications on the network.

Step 9 (Optional) Click the Download Certificate Signing Request link. so you can submit the Certificate Signing Request (CSR) to a certificate authority (CA).

Step 10 (Optional) Upload the signed certificate to the Web Security appliance after receiving it back from the CA. You can do this at anytime after generating the certificate on the appliance.


Configuring Invalid Certificate Handling

Before You Begin

• Verify that the HTTPS proxy is enabled as described in Enabling the HTTPS Proxy, page 11-4





Step 3 For each type of certificate error, define the proxy response, Drop, Decrypt or Monitor.


Options for Certificate Revocation Status Checking

To determine whether the issuing certificate authority has revoked a certificate, the Web Security appliance can check with the issuing certificate authority in these ways:

• Certificate Revocation List (Comodo certificates only). The Web Security appliance checks Comodo’s certificate revocation list. Comodo maintains this list, updating it according to their own policies. Depending on when it was last updated, the certificate revocation list may be out of date at the time the Web Security appliance checks it.

• Online Certificate Status Protocol (OCSP). The Web Security appliance checks the revocation status with the issuing certificate authority in real time. If the issuing certificate authority supports OCSP, the certificate will include a URL for real-time status checking. This feature is enabled by default for fresh installations and disabled by default for updates.

Note The Web Security appliance only performs the OCSP query for certificates that it determines to be valid in all other respects and that include the OCSP URL.

Related Topics

• Enabling Real-Time Revocation Status Checking, page 11-13

• Configuring Invalid Certificate Handling, page 11-11

Certificate Error Type Description

Expired The current date falls outside of the range of validity for the certificate.

Mismatched hostname The hostname in the certificate does not match the hostname the client was trying to access.

Note The Web Proxy can only perform hostname match when it is deployed in explicit forward mode. When it is deployed in transparent mode, it does not know the hostname of the destination server (it only knows the IP address), so it cannot compare it to the hostname in the server certificate.

Unrecognized root authority/issuer

Either the root authority or an intermediate certificate authority is unrecognized.

Invalid signing certificate

There was a problem with the signing certificate.

Invalid leaf certificate There was a problem with the leaf certificate, for example, a rejection, decoding, or mismatch problem.

All other error types Most other error types are due to the appliance not being able to complete the SSL handshake with the HTTPS server. For more information about additional error scenarios for server certificates, see http://www.openssl.org/docs/apps/verify.html.



Enabling Real-Time Revocation Status Checking

Before You Begin

• Ensure the HTTPS Proxy is enabled. See Enabling the HTTPS Proxy, page 11-4



Step 3 Select Enable Online Certificate Status Protocol (OCSP).

Step 4 Configure the OCSP Result Handling properties,

Cisco recommends configuring the OCSP Result Handling options to the same actions as Invalid Certificate Handling options. For example, if you set Expired Certificate to Monitor, configure Revoked Certificate to monitor.

Step 5 (Optional) Expand the Advanced configuration section and configure the settings described below.


Trusted Root CertificatesThe Web Security appliance ships with and maintains a list of trusted root certificates. Web sites with trusted certificates do not require decryption.

Field Name Description

OCSP Valid Response Cache Timeout

Time to wait before rechecking a valid OCSP response in seconds (s), minutes (m), hours (h), or days (d). Default unit is seconds. Valid range is from 1 second to 7 days.

OCSP Invalid Response Cache Timeout

Time to wait before rechecking an invalid OCSP response in seconds (s), minutes (m), hours (h), or days (d). Default unit is seconds. Valid range is from 1 second to 7 days.

OCSP Network Error Cache Timeout

Time to wait before attempting to contact the OCSP responder again after failing to get a response in seconds (s), minutes (m), hours (h), or days (d). Valid range from 1 second to 24 hours.

Allowed Clock Skew Maximum allowed difference in time settings between the Web Security appliance and the OCSP responder in seconds (s) or minutes (m). Valid range from 1 second to 60 minutes.

Maximum Time to Wait for OCSP Response

Maximum time to wait for a response from the OCSP responder. Valid range is from 1 second to 10 minutes. Specify a shorter duration to reduce delays in end user access to HTTPS requests in the event that the OCSP responder is unavailable.

Use upstream proxy for OCSP checking

Group Name of the upstream proxies.

Servers exempt from upstream proxy

IP addresses or hostnames of the servers to exempt. May be left blank.


Chapter 11 Create Decryption Policies to Control HTTPS Traffic Routing HTTPS Traffic

You can manage the trusted certificate list, adding certificates to it and functionally removing certificates from it. While the Web Security appliance does not delete certificates from the master list, it allows you to override trust in a certificate, which functionally removes the certificate from the trusted list.

Adding Certificates to the Trusted List

Before You Begin

• Verify that the HTTPS Proxy is enabled. See Enabling the HTTPS Proxy, page 11-4


Step 2 Click Manage Trusted Root Certificates.

Step 3 Click Import.

Step 4 Click Browse and navigate to the certificate file.


Look for the certificate you uploaded in the Custom Trusted Root Certificates list.

Removing Certificates from the Trusted List

Step 1 Select Security Services > HTTPS Proxy.

Step 2 Click Manage Trusted Root Certificates.

Step 3 Select the Override Trust checkbox corresponding to the certificate you wish to remove from the list.


Routing HTTPS TrafficThe ability of AsyncOS to route HTTPS transactions based on information stored in client headers is limited and is different for transparent and explicit HTTPS.

Option Description

Transparent HTTPS

In the case of transparent HTTPS, AsyncOS does not have access to information in the client headers. Therefore, AsyncOS cannot enforce routing policies that rely on information in client headers.

Explicit HTTPS In the case of explicit HTTPS, AsyncOS has access to the following information in client headers:

• URL

• Destination port number

Therefore, for explicit HTTPS transactions, it is possible to match a routing policy based on URL or port number.


Chapter 11 Create Decryption Policies to Control HTTPS Traffic Troubleshooting Decryption/HTTPS/Certificates

Troubleshooting Decryption/HTTPS/Certificates• Accessing HTTPS Sites Using Routing Policies with URL Category Criteria, page A-8

• HTTPS with IP-based Surrogates and Transparent Requests, page A-9

• Bypassing Decryption for Particular Websites, page A-9

• Alert: Problem with Security Certificate, page A-10


Chapter 11 Create Decryption Policies to Control HTTPS Traffic Troubleshooting Decryption/HTTPS/Certificates

C H A P T E R


12Scan Outbound Traffic for Existing Infections

• Overview of Scanning Outbound Traffic, page 12-1

• Understanding Upload Requests, page 12-2

• Creating Outbound Malware Scanning Policies, page 12-3

• Controlling Upload Requests, page 12-4

• Logging of DVS Scanning, page 12-6

Overview of Scanning Outbound TrafficTo prevent malicious data from leaving the network, the Web Security appliance provides the Outbound Malware Scanning feature. Using policy groups, you can define which uploads are scanned for malware, which anti-malware scanning engines to use for scanning, and which malware types to block.

The Cisco Dynamic Vectoring and Streaming (DVS) engine scans transaction requests as they leave the network. By working with the Cisco DVS engine, the Web Security appliance enables you to prevent users from unintentionally uploading malicious data.

You can perform the following tasks:

User Experience When Requests Are Blocked by the DVS Engine When the Cisco DVS engine blocks an upload request, the Web Proxy sends a block page to the end user. However, not all Websites display the block page to the end user. Some Web 2.0 Websites display dynamic content using Javascript instead of a static Webpage and are not likely to display the block page. Users are still properly blocked from uploading malicious data, but they may not always be informed of this by the Website.

Task Link to Task

Create policies to block malware Creating Outbound Malware Scanning Policies, page 12-4

Assign upload requests to outbound malware policy groups

Controlling Upload Requests, page 12-6


Chapter 12 Scan Outbound Traffic for Existing Infections Understanding Upload Requests

Understanding Upload RequestsOutbound Malware Scanning Policies define whether or not the Web Proxy blocks HTTP requests and decrypted HTTPS connections for transactions that upload data to a server (upload requests). An upload request is an HTTP or decrypted HTTPS request that has content in the request body.

When the Web Proxy receives an upload request, it compares the request to the Outbound Malware Scanning policy groups to determine which policy group to apply. After it assigns the request to a policy group, it compares the request to the policy group’s configured control settings to determine whether to block the request or monitor the request. When an Outbound Malware Scanning Policy determines to monitor a request, it is evaluated against the Access Policies, and the final action the Web Proxy takes on the request is determined by the applicable Access Policy.

Note Upload requests that try to upload files with a size of zero (0) bytes are not evaluated against Outbound Malware Scanning Policies.

Criteria for Group MembershipEach client request is assigned to an Identity and is then evaluated against the other policy types to determine to which policy group it belongs for each type. The Web Proxy applies the configured policy control settings to a client request based on the request’s policy group membership.

The Web Proxy follows a specific process for matching the group membership criteria. It considers the following factors for group membership:

Matching Client Requests to Outbound Malware Scanning Policy GroupsThe Web Proxy compares the upload request status to the membership criteria of the first policy group. If they match, the Web Proxy applies the policy settings of that policy group.

If they do not match, the Web Proxy compares the upload request to the next policy group. It continues this process until it matches the upload request to a user defined policy group. If it does not match a user defined policy group, it matches the global policy group. When the Web Proxy matches the upload request to a policy group or the global policy group, it applies the policy settings of that policy group.

Criteria Description

Identification Profile

Each client request either matches an Identification Profile, fails authentication and is granted guest access, or fails authentication and is terminated.

Authorized users If the assigned Identification Profile requires authentication, the user must be in the list of authorized users in the Outbound Malware Scanning Policy group to match the policy group. The list of authorized users can be any of the specified groups or users or can be guest users if the Identification Profile allows guest access.

Advanced options You can configure several advanced options for Outbound Malware Scanning Policy group membership. Some options, such as proxy port and URL category, can also be defined within the Identification Profile. When an advanced option is configured in the Identification Profile, it is not configurable in the Outbound Malware Scanning Policy group level.


Chapter 12 Scan Outbound Traffic for Existing Infections Creating Outbound Malware Scanning Policies

Creating Outbound Malware Scanning PoliciesYou can create Outbound Malware Scanning Policy groups based on combinations of several criteria, such as one or more Identities or the URL category of the destination site. You must define at least one criterion for policy group membership. When you define multiple criteria, the upload request must meet all criteria to match the policy group. However, the upload request needs to match only one of the configured Identities.

Step 1 Choose Web Security Manager > Outbound Malware Scanning.


Step 3 Enter a name and an optional description for the policy group.


Step 4 In the Insert Above Policy field, select where in the policies table to place the policy group.

When configuring multiple policy groups, you must specify a logical order for each group.

Step 5 In the Identification Profiles and Users section, select one or more Identity groups to apply to this policy group.


Step 7 To define policy group membership by any of the advanced options, click the link for the advanced option and configure the option on the page that appears.


Protocols Choose whether or not to define policy group membership by the protocol used in the client request. Select the protocols to include.

“All others” means any protocol not listed above this option.

Note When the HTTPS Proxy is enabled, only Decryption Policies apply to HTTPS transactions. You cannot define policy membership by the HTTPS protocol for Access, Routing, Outbound Malware Scanning, Data Security, or External DLP Policies.

Proxy Ports Choose whether or not to define policy group membership by the proxy port used to access the Web Proxy. Enter one or more port numbers in the Proxy Ports field. Separate multiple ports with commas.

For explicit forward connections, this is the port configured in the browser. For transparent connections, this is the same as the destination port.

If you define policy group membership by the proxy port when client requests are transparently redirected to the appliance, some requests might be denied.

Note If the Identity associated with this policy group defines Identity membership by this advanced setting, the setting is not configurable at the non-Identity policy group level.


Chapter 12 Scan Outbound Traffic for Existing Infections Controlling Upload Requests

Step 8 Submit your changes.

Step 9 Configure Outbound Malware Scanning Policy group control settings to define how the Web Proxy handles transactions.

The new Outbound Malware Scanning Policy group automatically inherits global policy group settings until you configure options for each control setting.


Controlling Upload Requests Each upload request is assigned to an Outbound Malware Scanning Policy group and inherits the control settings of that policy group. After the Web Proxy receives the upload request headers, it has the information necessary to decide if it should scan the request body. The DVS engine scans the request and returns a verdict to the Web Proxy. The block page appears to the end user, if applicable.

Step 1 Choose Web Security Manager > Outbound Malware Scanning.

Step 2 In the Destinations column, click the link for the policy group you want to configure.

Subnets Choose whether or not to define policy group membership by subnet or other addresses.

You can select to use the addresses that may be defined with the associated Identity, or you can enter specific addresses here.

Note If the Identity associated with this policy group defines its membership by addresses, then in this policy group you must enter addresses that are a subset of the addresses defined in the Identity. Adding addresses in the policy group further narrows down the list of transactions that match this policy group.

URL Categories Choose whether or not to define policy group membership by URL categories. Select the user defined or predefined URL categories.


User Agents Choose whether to define policy group membership by the user agents (client applications such as updaters and Web browsers) used in the client request. You can select some commonly defined user agents, or define your own using regular expressions. Specify whether membership definition includes only the selected user agents, or specifically excludes the selected user agents.

Note If the Identification Profile associated with this policy group defines Identification Profile membership by this advanced setting, the setting is not configurable at the non-Identification Profile policy group level.

User Location Choose whether or not to define policy group membership by user location, either remote or local.



Chapter 12 Scan Outbound Traffic for Existing Infections Controlling Upload Requests

Step 3 In the Edit Destination Settings section, select “Define Destinations Scanning Custom Settings” from the drop-down menu.

Step 4 In the Destinations to Scan section, select one of the following:


Step 6 In the Anti-Malware Filtering column, click the link for the policy group.

Step 7 In the Anti-Malware Settings section, select “Define Anti-Malware Custom Settings”.

Step 8 In the Cisco IronPort DVS Anti-Malware Settings section, select which anti-malware scanning engines to enable for this policy group.

Step 9 In the Malware Categories section, select whether to monitor or block the various malware categories.

The categories listed in this section depend on which scanning engines you enable.

Note URL transactions are categorized as unscannable when the configured maximum time setting is reached or when the system experiences a transient error condition. For example, transactions might be categorized as unscannable during scanning engine updates or AsyncOS upgrades. The malware scanning verdicts SV_TIMEOUT and SV_ERROR are considered unscannable transactions.


Option Description

Do not scan any uploads The DVS engine scans no upload requests. All upload requests are evaluated against the Access Policies

Scan all uploads The DVS engine scans all upload requests. The upload request is blocked or evaluated against the Access Policies, depending on the DVS engine scanning verdict

Scan uploads to specified custom URL categories

The DVS engine scans upload requests that belong in specific custom URL categories. The upload request is blocked or evaluated against the Access Policies, depending on the DVS engine scanning verdict.

Click Edit custom categories list to select the URL categories to scan


Chapter 12 Scan Outbound Traffic for Existing Infections Logging of DVS Scanning

Logging of DVS ScanningThe access logs indicate whether or not the DVS engine scanned an upload request for malware. The scanning verdict information section of each access log entry includes values for the DVS engine activity for scanned uploads. You can also add one of the fields to the W3C or access logs to more easily find this DVS engine activity:

When the DVS engine marks an upload request as being malware and it is configured to block malware uploads, the ACL decision tag in the access logs is BLOCK_AMW_REQ.

However, when the DVS engine marks an upload request as being malware and it is configured to monitor malware uploads, the ACL decision tag in the access logs is actually determined by the Access Policy applied to the transaction.

To determine whether or not the DVS engine scanned an upload request for malware, view the results of the DVS engine activity in the scanning verdict information section of each access log entry.

Table 12-1 Log Fields in W3C Logs and Format Specifiers in Access Logs

W3C Log Field Format Specifier in Access Logs

x-req-dvs-scanverdict %X2

x-req-dvs-threat-name %X4

x-req-dvs-verdictname %X3

C H A P T E R


13Configuring Security Services

• Overview of Configuring Security Services, page 13-1

• Overview of Web Reputation Filters, page 13-2

• Overview of Anti-Malware Scanning, page 13-4

• Understanding Adaptive Scanning, page 13-7

• Enabling Anti-Malware and Reputation Filters, page 13-7

• Configuring Anti-Malware and Reputation in Policies, page 13-8

• Maintaining the Database Tables, page 13-13

• Logging of Web Reputation Filtering Activity and DVS Scanning, page 13-13

• Caching, page 13-14

• Malware Category Descriptions, page 13-14

Overview of Configuring Security Services The Web Security appliance uses security components to protect end users from a range of malware threats. You can configure anti-malware and web reputation settings for each policy group. When you configure Access Policies, you can also have AsyncOS for Web choose a combination of anti-malware scanning and web reputation scoring to use when determining what content to block.

To protect end users from malware, you enable these features on the appliance, and then configure anti-malware and web reputation settings per policy.

Option Description Link

Anti-malware scanning Works with multiple anti-malware scanning engines integrated on the appliance to block malware threats

Overview of Anti-Malware Scanning, page 13-4

Web Reputation Filters Analyzes web server behavior and determines whether the URL contains URL-based malware

Overview of Web Reputation Filters, page 13-2


Protects from threats in downloaded files by evaluating file reputation and by analyzing file characteristics.

Overview of File Reputation Filtering and File Analysis, page 14-1


Chapter 13 Configuring Security Services Overview of Web Reputation Filters

Related Topics



Overview of Web Reputation Filters Web Reputation Filters assigns a web-based reputation score (WBRS) to a URL to determine the likelihood that it contains URL-based malware. The Web Security appliance uses web reputation scores to identify and stop malware attacks before they occur. You can use Web Reputation Filters with Access, Decryption, and Cisco IronPort Data Security Policies.

Web Reputation ScoresWeb Reputation Filters use data to assess the reliability of Internet domains and score the reputation of URLs. The web reputation calculation associates a URL with network parameters to determine the probability that malware exists. The aggregate probability that malware exists is then mapped to a Web Reputation Score between -10 and +10, with +10 being the least likely to contain malware.

Example parameters include the following:

• URL categorization data

• Presence of downloadable code

• Presence of long, obfuscated End-User License Agreements (EULAs)

• Global volume and changes in volume

• Network owner information

• History of a URL

• Age of a URL

• Presence on any block lists

• Presence on any allow lists

• URL typos of popular domains

• Domain registrar information

• IP address information

Note Cisco does not collect identifiable information such as user names, passphrases, or client IP addresses.

Understanding How Web Reputation Filtering WorksWeb Reputation Scores are associated with an action to take on a URL request. You can configure each policy group to correlate an action to a particular Web Reputation Score. The available actions depend on the policy group type that is assigned to the URL request:


Chapter 13 Configuring Security Services Overview of Web Reputation Filters

Web Reputation in Access Policies

When you configure web reputation settings in Access Policies, you can choose to configure the settings manually, or let AsyncOS for Web choose the best options using Adaptive Scanning. When Adaptive Scanning is enabled, you can enable or disable web reputation filtering in each Access Policy, but you cannot edit the Web Reputation Scores.

By default, URLs in an HTTP request that are assigned a Web Reputation Score of +7 are allowed and require no further scanning. However, a weaker score for an HTTP request, such as +3, is automatically forwarded to the Cisco IronPort DVS engine where it is scanned for malware. Any URL in an HTTP request that has a poor reputation is blocked.

Related Topics


Policy Type Action

Access Policies You can choose to block, scan, or allow

Decryption Policies You can choose to drop, decrypt, or pass through

Cisco IronPort Data Security Policies You can choose to block or monitor

Score Action Description Example

-10 to -6.0 Block Bad site. The request is blocked, and no further malware scanning occurs.

• URL downloads information without user permission.

• Sudden spike in URL volume.

• URL is a typo of a popular domain.

-5.9 to 5.9 Scan Undetermined site. Request is passed to the DVS engine for further malware scanning. The DVS engine scans the request and server response content.

• Recently created URL that has a dynamic IP address and contains downloadable content.

• Network owner IP address that has a positive Web Reputation Score.

6.0 to 10.0 Allow Good site. Request is allowed. No malware scanning required.

• URL contains no downloadable content.

• Reputable, high-volume domain with long history.

• Domain present on several allow lists.

• No links to URLs with poor reputations.


Chapter 13 Configuring Security Services Overview of Anti-Malware Scanning

Web Reputation in Decryption Policies

Web Reputation in Cisco IronPort Data Security Policies

Overview of Anti-Malware Scanning The Web Security appliance anti-malware feature uses the Cisco IronPort DVS™ engine in combination with anti-malware scanning engines to stop web-based malware threats. The DVS engine works with the Webroot™, McAfee, and Sophos anti-malware scanning engines.

The scanning engines inspect transactions to determine a malware scanning verdict to pass to the DVS engine. The DVS engine determines whether to monitor or block the request based on the malware scanning verdicts. To use the anti-malware component of the appliance, you must enable anti-malware scanning and configure global settings, and then apply specific settings to different policies.

Related Topics


• Related Topics, page 13-8

Understanding How the DVS Engine Works

The DVS engine performs anti-malware scanning on URL transactions that are forwarded from the Web Reputation Filters. Web Reputation Filters calculate the probability that a particular URL contains malware, and assign a URL score that is associated with an action to block, scan, or allow the transaction.

When the assigned web reputation score indicates to scan the transaction, the DVS engine receives the URL request and server response content. The DVS engine, in combination with the Webroot and/or Sophos or McAfee scanning engines, returns a malware scanning verdict. The DVS engine uses information from the malware scanning verdicts and Access Policy settings to determine whether to block or deliver the content to the client.

Score Action Description

-10 to -9.0 Drop Bad site. The request is dropped with no notice sent to the end user. Use this setting with caution.

-8.9 to 5.9 Decrypt Undetermined site. Request is allowed, but the connection is decrypted and Access Policies are applied to the decrypted traffic.

6.0 to 10.0 Pass through Good site. Request is passed through with no inspection or decryption.

Score Action Description

-10 to -6.0 Block Bad site. The transaction is blocked, and no further scanning occurs.

-5.9 to 0.0 Monitor The transaction will not be blocked based on Web Reputation, and will proceed to content checks (file type and size).

Note Sites with no score are monitored.



Working with Multiple Malware Verdicts

The DVS engine might determine multiple malware verdicts for a single URL. Multiple verdicts can come from one or both enabled scanning engines:

• Different verdicts from different scanning engines. When you enable both Webroot and either Sophos or McAfee, each scanning engine might return different malware verdicts for the same object. When a URL causes multiple verdicts from both enabled scanning engines, the appliance performs the most restrictive action. For example, if one scanning engine returns a block verdict and the other a monitor verdict, the DVS engine always blocks the request.

• Different verdicts from the same scanning engine. A scanning engine might return multiple verdicts for a single object when the object contains multiple infections. When a URL causes multiple verdicts from the same scanning engine, the appliance takes action according to the verdict with the highest priority. The following text lists the possible malware scanning verdicts from the highest to the lowest priority.

• Virus

• Trojan Downloader

• Trojan Horse

• Trojan Phisher

• Hijacker

• System monitor

• Commercial System Monitor

• Dialer

• Worm

• Browser Helper Object

• Phishing URL

• Adware

• Encrypted file

• Unscannable

• Other Malware

Webroot ScanningThe Webroot scanning engine inspects objects to determine the malware scanning verdict to send to the DVS engine. The Webroot scanning engine inspects the following objects:

• URL request. Webroot evaluates a URL request to determine if the URL is a malware suspect. If Webroot suspects the response from this URL might contain malware, the appliance monitors or blocks the request, depending on how the appliance is configured. If Webroot evaluation clears the request, the appliance retrieves the URL and scans the server response.

• Server response. When the appliance retrieves a URL, Webroot scans the server response content and compares it to the Webroot signature database.



McAfee ScanningThe McAfee scanning engine inspects objects downloaded from a web server in HTTP responses. After inspecting the object, it passes a malware scanning verdict to the DVS engine so the DVS engine can determine whether to monitor or block the request.

The McAfee scanning engine uses the following methods to determine the malware scanning verdict:

• Matching virus signature patterns

• Heuristic analysis

Matching Virus Signature Patterns

McAfee uses virus definitions in its database with the scanning engine to detect particular viruses, types of viruses, or other potentially unwanted software. It searches for virus signatures in files. When you enable McAfee, the McAfee scanning engine uses this method to scan server response content.

Heuristic Analysis

Heuristic analysis is a technique that uses general rules, rather than specific rules, to detect new viruses and malware. When the McAfee scanning engine uses heuristic analysis, it looks at the code of an object, applies generic rules, and determines how likely the object is to be virus-like.

Using heuristic analysis increases the possibility of reporting false positives (clean content designated as a virus) and might impact appliance performance.When you enable McAfee, you can choose whether or not to also enable heuristic analysis when scanning objects.

McAfee Categories

Sophos ScanningThe Sophos scanning engine inspects objects downloaded from a web server in HTTP responses. After inspecting the object, it passes a malware scanning verdict to the DVS engine so the DVS engine can determine whether to monitor or block the request. You might want to enable the Sophos scanning engine instead of the McAfee scanning engine if McAfee anti-malware software is installed.

McAfee Verdict Malware Scanning Verdict Category

Known Virus Virus

Trojan Trojan Horse

Joke File Adware

Test File Virus

Wannabe Virus

Killed Virus

Commercial Application Commercial System Monitor

Potentially Unwanted Object Adware

Potentially Unwanted Software Package Adware

Encrypted File Encrypted File


Chapter 13 Configuring Security Services Understanding Adaptive Scanning

Understanding Adaptive ScanningAdaptive Scanning decides which anti-malware scanning engine (including Advanced Malware Protection scanning for downloaded files) will process the web request.

Adaptive Scanning applies the ‘Outbreak Heuristics’ anti-malware category to transactions it identifies as malware prior to running any scanning engines. You can choose whether or not to block these transactions when you configure anti-malware settings on the appliance.

Adaptive Scanning and Access Policies

When Adaptive Scanning is enabled, some anti-malware and reputation settings that you can configure in Access Policies are slightly different:

• You can enable or disable web reputation filtering in each Access Policy, but you cannot edit the Web Reputation Scores.

• You can enable anti-malware scanning in each Access Policy, but you cannot choose which anti-malware scanning engine to enable. Adaptive Scanning chooses the most appropriate engine for each web request.

Note If Adaptive Scanning is not enabled and an Access Policy has particular web reputation and anti-malware settings configured, and then Adaptive Scanning is enabled, any existing web reputation and anti-malware settings are overridden.

Per-policy Advanced Malware Protection settings are the same whether or not Adaptive Scanning is enabled.

Enabling Anti-Malware and Reputation FiltersBefore You Begin

• Check the Web Reputation Filters, DVS engine, and the Webroot, McAfee, and Sophos scanning engines are enabled. By default these should be enabled during system setup.

Step 1 Choose Security Services > Anti-Malware and Reputation.


Step 3 Configure settings as necessary.

Setting Description

Web Reputation Filtering

Choose whether or not to enable Web Reputation Filtering.

Adaptive Scanning Choose whether or not to enable Adaptive Scanning. You can only enable Adaptive Scanning when Web Reputation Filtering is enabled.

File Reputation Filtering and File Analysis

See Enabling and Configuring File Reputation and Analysis Services, page 14-7.


Chapter 13 Configuring Security Services Configuring Anti-Malware and Reputation in Policies


Related Topics


• McAfee Scanning, page 13-6

Configuring Anti-Malware and Reputation in PoliciesWhen Anti-Malware and Reputation Filters are enabled on the appliance, you can configure different settings in policy groups. You can enable monitoring or blocking for malware categories based on malware scanning verdicts.

You can configure anti-malware settings in the following policy groups:

DVS Engine Object Scanning Limits

Specify a maximum request/response size.

The Maximum Object Size value you specify applies to the entire size of requests and responses that might be scanned by all anti-malware and anti-virus scanning engines and by Advanced Malware Protection features. When an upload or download size exceeds this size, the security component may abort the scan in progress and may not provide a scanning verdict to the Web Proxy.

Sophos Choose whether or not to enable the Sophos scanning engine.

McAfee Choose whether or not to enable the McAfee scanning engine.

When you enable the McAfee scanning engine, you can choose whether or not to enable heuristic scanning.

Note Heuristic analysis increases security protection, but can result in false positives and decreased performance.

Webroot Choose whether or not to enable the Webroot scanning engine.

When you enable the Webroot scanning engine, you can configure the Threat Risk Threshold (TRT). The TRT assigns a numerical value to the probability that malware exists.

Proprietary algorithms evaluate the result of a URL matching sequence and assign a Threat Risk Rating (TRR). This value is associated with the threat risk threshold setting. If the TRR value is greater than or equal to the TRT, the URL is considered malware and is passed on for further processing.

Note Setting the Threat Risk Threshold to a value lower than 90 dramatically increases the rate of URL blocking and denies legitimate requests. Cisco strongly recommends maintaining the TRT default value of 90. The minimum value for a TRT setting is 51.

Setting Description



You can configure web reputation settings in the following policy groups:

You can configure Advanced Malware Protection settings only in Access Policies. See Configuring File Reputation and Analysis Features, page 14-5.

Anti-Malware and Reputation Settings in Access PoliciesWhen Adaptive Scanning is enabled, the web reputation and anti-malware settings you can configure for Access Policies are slightly different than when Adaptive Scanning is turned off.

Note If your deployment includes a Security Management appliance, and you are configuring this feature in a Configuration Master, options on this page depend on whether Adaptive Security is enabled for the relevant configuration master. Check the setting on the Security Management appliance, on the Web > Utilities > Security Services Display page.

Related Topics


Configuring Anti-Malware and Reputation Settings with Adaptive Scanning Enabled


Step 2 Click the Anti-Malware and Reputation link for the Access Policy you want to configure.

Step 3 Under the Web Reputation and Anti-Malware Settings section, choose Define Web Reputation and Anti-Malware Custom Settings.

This allows you to configure web reputation and anti-malware settings for this Access Policy that differ from the global policy.

Policy Type Link to Task

Access Policies Anti-Malware and Reputation Settings in Access Policies, page 13-9

Outbound Malware Scanning Policies Controlling Upload Requests Using Outbound Malware Scanning Policies

Policy Type Link to Task

Access Policies Anti-Malware and Reputation Settings in Access Policies, page 13-9

Decryption Policies Configuring Web Reputation Filter Settings for Decryption Policy Groups, page 13-12

Cisco Data Security Policies Configuring Web Reputation Filter Settings for Decryption Policy Groups, page 13-12



Step 4 In the Web Reputation Settings section, choose whether or not to enable Web Reputation Filtering. Adaptive Scanning chooses the most appropriate web reputation score thresholds for each web request.

Step 5 Configure the settings in the Advanced Malware Protection Settings section.

Step 6 Scroll down to the Cisco DVS Anti-Malware Settings section.

Step 7 Configure the anti-malware settings for the policy as necessary.


Related Topics


Configuring Anti-Malware and Reputation Settings with Adaptive Scanning Disabled


Step 2 Click the Anti-Malware and Reputation link for the Access Policy you want to configure.


Setting Description

Enable Suspect User Agent Scanning

Choose whether or not to scan traffic based on the user-agent field specified in the HTTP request header.

When you select this checkbox, you can choose to monitor or block suspect user agents in the Additional Scanning section at the bottom of the page.

Note Chrome browsers do not include a user-agent string in FTP-over-HTTP requests; therefore, Chrome cannot be detected as the user agent in those requests.

Enable Anti-Malware Scanning

Choose whether or not to use the DVS engine to scan traffic for malware. Adaptive Scanning chooses the most appropriate engine for each web request.

Malware Categories Choose whether to monitor or block the various malware categories based on a malware scanning verdict.

Other Categories Choose whether to monitor or block the types of objects and responses listed in this section.

Note The category Outbreak Heuristics applies to transactions which are identified as malware by Adaptive Scanning prior to running any scanning engines.

Note URL transactions are categorized as unscannable when the configured maximum time setting is reached or when the system experiences a transient error condition. For example, transactions might be categorized as unscannable during scanning engine updates or AsyncOS upgrades. The malware scanning verdicts SV_TIMEOUT and SV_ERROR, are considered unscannable transactions.




Step 4 Configure the settings in the Web Reputation Settings section.

Step 5 Configure the settings in the Advanced Malware Protection Settings section.

Step 6 Scroll down to the Cisco DVS Anti-Malware Settings section.

Step 7 Configure the anti-malware settings for the policy as necessary.

Note When you enable Webroot, Sophos or McAfee scanning, you can choose to monitor or block some additional categories in the Malware categories on this page


Related Topics

• Configuring Web Reputation Score Thresholds for Access Policies, page 13-12


Setting Description

Enable Suspect User Agent Scanning

Choose whether or not to enable the appliance to scan traffic based on the user-agent field specified in the HTTP request header.

When you select this checkbox, you can choose to monitor or block suspect user agents in the Additional Scanning section at the bottom of the page.

Note Chrome browsers do not include a user-agent string in FTP-over-HTTP requests; therefore, Chrome cannot be detected as the user agent in those requests.

Enable Webroot Choose whether or not to enable the appliance to use the Webroot scanning engine when scanning traffic.

Enable Sophos or McAfee

Choose whether or not to enable the appliance to use either the Sophos or McAfee scanning engine when scanning traffic.

Malware Categories Choose whether to monitor or block the various malware categories based on a malware scanning verdict. The categories listed in this section depend on which scanning engines you enable above.

Other Categories Choose whether to monitor or block the types of objects and responses listed in this section.

Note URL transactions are categorized as unscannable when the configured maximum time setting is reached or when the system experiences a transient error condition. For example, transactions might be categorized as unscannable during scanning engine updates or AsyncOS upgrades. The malware scanning verdicts SV_TIMEOUT and SV_ERROR, are considered unscannable transactions.



Configuring Web Reputation ScoresWhen you install and set up the Web Security appliance, it has default settings for Web Reputation Scores. However, you can modify threshold settings for web reputation scoring to fit your organization’s needs.You configure the web reputation filter settings for each policy group.

Configuring Web Reputation Score Thresholds for Access Policies


Step 2 Click the link under the Anti-Malware and Reputation column for the Access Policy group you want to edit.



Step 4 Verify the Enable Web Reputation Filtering field is enabled.

Step 5 Move the markers to change the range for URL block, scan, and allow actions.


Note You can edit the web reputation score thresholds in Access Policies when Adaptive Scanning is disabled

Configuring Web Reputation Filter Settings for Decryption Policy Groups

Step 1 Choose Web Security Manager > Decryption Policies.

Step 2 Click the link under the Web Reputation column for the Decryption Policy group you want to edit.

Step 3 Under the Web Reputation Settings section, choose Define Web Reputation Custom Settings. This allows you to override the web reputation settings from the Global Policy Group.

Step 4 Verify the Enable Web Reputation Filtering field is checked.

Step 5 Move the markers to change the range for URL drop, decrypt, and pass through actions.

Step 6 In the Sites with No Score field, choose the action to take on request for sites that have no assigned Web Reputation Score.


Configuring Web Reputation Filter Settings for Data Security Policy Groups

Step 1 Choose Web Security Manager > Cisco IronPort Data Security.

Step 2 Click the link under the Web Reputation column for the Data Security Policy group you want to edit.

Step 3 Under the Web Reputation Settings section, choose Define Web Reputation Custom Settings.


Chapter 13 Configuring Security Services Maintaining the Database Tables

This allows you to override the web reputation settings from the Global Policy Group.

Step 4 Move the marker to change the range for URL block and monitor actions.


Note Only negative and zero values can be configured for web reputation threshold settings for Cisco IronPort Data Security Policies. By definition, all positive scores are monitored

Maintaining the Database TablesThe web reputation, Webroot, Sophos, and McAfee databases periodically receive updates from the Cisco IronPort update server. Server updates are automated and the update interval is set by the server.

The Web Reputation DatabaseThe Web Security appliance maintains a filtering database that contains statistics and information about how different types of requests are handled. The appliance can also be configured to send web reputation statistics to a Cisco SensorBase Network server. SensorBase server information is leveraged with data feeds from the SensorBase Network and the information is used to produce a Web Reputation Score.

Logging of Web Reputation Filtering Activity and DVS Scanning The access log file records the information returned by the Web Reputation Filters and the DVS engine for each transaction. The scanning verdict information section in the access logs includes many fields to help understand the cause for the action applied to a transaction. For example, some fields display the web reputation score or the malware scanning verdict Sophos passed to the DVS engine.

Logging Adaptive Scanning

Transactions blocked and monitored by the adaptive scanning engine use the ACL decision tags:

• BLOCK_AMW_RESP

• MONITOR_AMW_RESP

Custom Field in Access Logs

Custom Field in W3C Logs

Description

%X6 x-as-malware-threat-name

he anti-malware name returned by Adaptive Scanning. If the transaction is not blocked, this field returns a hyphen (“-”). This variable is included in the scanning verdict information (in the angled brackets at the end of each access log entry).


Chapter 13 Configuring Security Services Caching

CachingThe following guidelines explains how AsyncOS uses the cache while scanning for malware:

• AsyncOS only caches objects if the entire object downloads. If malware is blocked during scanning, the whole object is not downloaded and therefore is not cached.

• AsyncOS scans content whether it is retrieved from the server or from the web cache.

• The length of time that content is cached varies with many factors - there is no default.

• AsyncOS rescans content when signatures are updated.

Malware Category Descriptions

Malware Type Description

Adware Adware encompasses all software executables and plug-ins that direct users towards products for sale. These programs may also change security settings making it impossible for users to make changes to their system settings.

Browser Helper Object A browser helper object is a browser plug-in that may perform a variety of functions related to serving advertisements or hijacking user settings.

Commercial System Monitor

A commercial system monitor is a piece of software with system monitor characteristics that can be obtained with a legitimate license through legal means.

Dialer A dialer is a program that utilizes your modem or another type of Internet access to connect you to a phone line or a site that causes you to accrue long distance charges to which you did not provide your full consent.

Generic Spyware Spyware is a type of malware installed on computers that collects small pieces of information about users without their knowledge.

Hijacker A hijacker modifies system settings or any unwanted changes to a user’s system that may direct them to a website or run a program without a users consent.

Known Malicious and High-Risk Files

These are files that were identified as threats by the Advanced Malware Protection file reputation service.

Other Malware This category is used to catch all other malware and suspicious behavior that does not exactly fit in one of the other defined categories.

Phishing URL A phishing URL is displayed in the browser address bar. In some cases, it involves the use of domain names and resembles those of legitimate domains.

PUA Potentially Unwanted Application. A PUA is an application that is not malicious, but may be considered to be undesirable.

System Monitor A system monitor encompasses any software that performs one of the following:

• Overtly or covertly records system processes and/or user action.

• Makes those records available for retrieval and review at a later time.

Trojan Downloader A trojan downloader is a Trojan that, after installation, contacts a remote host/site and installs packages or affiliates from the remote host.


Chapter 13 Configuring Security Services Malware Category Descriptions

Trojan Horse A trojan horse is a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves.

Trojan Phisher A trojan phisher may sit on an infected computer waiting for a specific web page to be visited or may scan the infected machine looking for user names and passphrases.

Virus A virus is a program or piece of code that is loaded onto your computer without your knowledge.

Worm A worm is program or algorithm that replicates itself over a computer network and performs malicious actions.

Malware Type Description


Chapter 13 Configuring Security Services Malware Category Descriptions

C H A P T E R

14-1AsyncOS 9.0 for Cisco Web Security Appliances User Guide

14File Reputation Filtering and File Analysis

• Overview of File Reputation Filtering and File Analysis, page 14-1

• Configuring File Reputation and Analysis Features, page 14-5

• File Reputation and File Analysis Reporting and Tracking, page 14-11

• Taking Action When File Threat Verdicts Change, page 14-13

• Troubleshooting File Reputation and Analysis, page 14-14

Overview of File Reputation Filtering and File Analysis Advanced Malware Protection protects against zero-day and targeted file-based threats by:

• Obtaining the reputation of known files.

• Analyzing behavior of certain files that are not yet known to the reputation service.

• Continuously evaluating emerging threats as new information becomes available, and notifying you about files that are determined to be threats after they have entered your network.

These features are available only for file downloads. Uploaded files are not evaluated.

The reputation service is in the cloud. The file analysis service has options for either public- or private-cloud (on-premises).

File Threat Verdict Updates Threat verdicts can change as new information emerges. A file may initially be evaluated as unknown or clean, and the user may thus be allowed to access the file. If the threat verdict changes as new information becomes available, you will be alerted, and the file and its new verdict appear in the AMP Verdict Updates report. You can investigate the point-of-entry transaction as a starting point to remediating any impacts of the threat.

Verdicts can also change from malicious to clean.

When the appliance processes subsequent instances of the same file, the updated verdict is immediately applied.

Information about the timing of verdict updates is included in the file-criteria document referenced in Supported Files for File Reputation and Analysis Services, page 14-3.


Chapter 14 File Reputation Filtering and File Analysis Overview of File Reputation Filtering and File Analysis

Related Topics

• File Reputation and File Analysis Reporting and Tracking, page 14-11


File Processing Overview First, the web site from which the file is downloaded is evaluated against the Web Based Reputation Service (WBRS).

If the web reputation score of the site is in the range configured to “Scan,” the appliance simultaneously scans the transaction for malware and queries the cloud-based service for the reputation of the file. (If the site’s reputation score is in the “Block” range, the transaction is handled accordingly and there is no need to process the file further.) If malware is found during scanning, the transaction is blocked regardless of the reputation of the file.

If Adaptive Scanning is also enabled, file reputation evaluation and file analysis are included in Adaptive Scanning.

Communications between the appliance and the file reputation service are encrypted and protected from tampering.

After a file’s reputation is evaluated:

• If the file is known to the file reputation service and is determined to be clean, the file is released to the end user.

• If the file reputation service returns a verdict of malicious, then the appliance applies the action that you have specified for such files.

• If the file is known to the reputation service but there is insufficient information for a definitive verdict, the reputation service returns a threat score based on characteristics of the file such as threat fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation threshold, the appliance applies the action that you have configured in the access policy for malicious or high-risk files.

• If the reputation service has no information about the file, and the file does not meet the criteria for analysis (see Supported Files for File Reputation and Analysis Services, page 14-3), the file is considered clean and the file is released to the end user.

• If you have enabled the cloud-based File Analysis service, and the reputation service has no information about the file, and the file meets the criteria for files that can be analyzed (see Supported Files for File Reputation and Analysis Services, page 14-3), then the file is considered clean and is optionally sent for analysis.

• For deployments with on-premises file analysis, the reputation evaluation and file analysis occur simultaneously. If the reputation service returns a verdict, that verdict is used, as the reputation service includes inputs from a wider range of sources. If the file is unknown to the reputation service, the file is released to the user but the file analysis result is updated in the local cache and is used to evaluate future instances of the file.

• If file reputation or file analysis verdict information is unavailable because the connection with the service timed out, the file is considered clean and is released to the end user.



Figure 14-1 Advanced Malware Protection Workflow for Cloud File Analysis Deployments

If the file is sent for analysis:

• If the file is sent to the cloud for analysis: Files are sent over HTTPS.

• Analysis normally takes minutes, but may take longer.

• A file that is flagged as malicious after File Analysis may not be identified as malicious by the reputation service. File reputation is determined by a variety of factors over time, not necessarily by a single file analysis verdict.

• Results for files analyzed using an on premises Cisco AMP Threat Grid appliance are cached locally.

For information about verdict updates, see File Threat Verdict Updates, page 14-1.

Supported Files for File Reputation and Analysis Services The reputation service evaluates most file types. File type identification is determined by file content and is not dependent on the filename extension.

Some files with unknown reputation can be analyzed for threat characteristics. When you configure the file analysis feature, you choose which file types are analyzed. New types can be added dynamically; you will receive an alert when the list of uploadable file types changes, and can select added file types to upload.

Details about what files are supported by the reputation and analysis services are available only to registered Cisco customers. For information about which files are evaluated and analyzed, see File Criteria for Advanced Malware Protection Services for Cisco Content Security Products, available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-user-guide-list.html. The criteria for evaluating a file’s reputation and for sending files for analysis may change at any time.

In order to access this document, you must have a Cisco customer account with a support contract. To register, visit https://tools.cisco.com/RPF/register/register.do.

Your setting for DVS Engine Object Scanning Limits on the Security Services > Anti-Malware and Reputation page also determines the maximum file size for file reputation and analysis.

http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-user-guide-list.html

https://tools.cisco.com/RPF/register/register.do



You should configure policies to block download of files that are not addressed by Advanced Malware Protection.

Note A file that has already been uploaded for analysis from any source will not be uploaded again. To view analysis results for such a file, search for the SHA-256 from the File Analysis reporting page.

Related Topics

• Enabling and Configuring File Reputation and Analysis Services, page 14-7

• Ensuring That You Receive Alerts About Advanced Malware Protection Issues, page 14-10

• Archive or Compressed File Processing, page 14-4

Archive or Compressed File Processing

If the file is compressed or archived,

• Reputation of the compressed or archive file is evaluated.

• The compressed or archive file is decompressed and reputations of all the extracted files are evaluated.

For information about which archived and compressed files are examined, including file formats, see the information linked from Supported Files for File Reputation and Analysis Services, page 14-3.

In this scenario,

• If one of the extracted files is malicious, the file reputation service returns a verdict of Malicious for the compressed or the archive file.

• If the compressed or archive file is malicious and all the extracted files are clean, the file reputation service returns a verdict of Malicious for the compressed or the archive file.

• If the verdict of any of the extracted files is unknown, the extracted files are optionally (if configured and the file type is supported for file analysis) sent for file analysis.

• If the extraction of a file fails while decompressing a compressed or an archive file, the file reputation service returns a verdict of Unscannable for the compressed or the archive file. Keep in mind that, in this scenario, if one of the extracted files is malicious, the file reputation service returns a verdict of Malicious for the compressed or the archive file (Malicious verdict takes precedence over Unscannable verdict).

Note Reputation of the extracted files with safe MIME types, for example, text/plain, are not evaluated.

Privacy of Information Sent to the Cloud • Only the SHA that uniquely identifies a file is sent to the reputation service in the cloud. The file

itself is not sent.

• If you are using the file analysis service in the cloud and a file qualifies for analysis, the file itself is sent to the cloud.


Chapter 14 File Reputation Filtering and File Analysis Configuring File Reputation and Analysis Features

• Information about every file that is sent to the cloud for analysis and has a verdict of "malicious" is added to the reputation database. This information is used along with other data to determine a reputation score.

Information about files analyzed by an on premises Cisco AMP Threat Grid appliance is not shared with the reputation service.

Configuring File Reputation and Analysis Features• Requirements for Communication with File Reputation and Analysis Services, page 14-5

• Configuring an On-Premises File Analysis Server, page 14-6


• (Public Cloud File Analysis Services Only) Configuring Appliance Groups, page 14-9

• Configuring File Reputation and Analysis Service Action Per Access Policy, page 14-10

• Ensuring That You Receive Alerts About Advanced Malware Protection Issues, page 14-10

• Configuring Centralized Reporting for Advanced Malware Protection Features, page 14-11

Requirements for Communication with File Reputation and Analysis Services • All Web Security appliances that use these services must be able to connect to them directly over

the internet (excluding File Analysis services configured to use an on-premises Cisco AMP Threat Grid Appliance.)

• By default, communication with file reputation and analysis services is routed through the Management port (M1) on the appliance. If your appliance does not route data through the management port, see Routing Traffic to File Reputation and File Analysis Servers Through a Data Interface, page 14-6.

• The following firewall ports must be open:

• When you configure the file reputation feature, choose whether to use SSL over port 443.

Related Topics


Firewall Ports Description Protocol In/Out Hostname

Appliance Interface

32137 (default) or 443

Access to cloud services for obtaining file reputation.

TCP Out As configured in Security Services > Anti-Malware and Reputation, Advanced section: Advanced Settings for File Reputation, Cloud Server Pool parameter.

Management, unless a static route is configured to route this traffic through a data port.

443 Access to cloud services for file analysis.

TCP Out As configured in Security Services > Anti-Malware and Reputation, Advanced section: Advanced Settings for File Analysis.



Routing Traffic to File Reputation and File Analysis Servers Through a Data Interface

If the appliance is configured to restrict the management port to appliance management services only (on the Network > Interfaces page), configure the appliance to route file reputation and analysis traffic through the data port instead.

Add routes for data traffic on the Network > Routes page. For general requirements and instructions, see Configuring TCP/IP Traffic Routes, page 2-22.

Related Topics


Configuring an On-Premises File Analysis Server If you will use a Cisco AMP Threat Grid Appliance as a private-cloud file analysis server:

• Obtain the Cisco AMP Threat Grid Appliance Setup and Configuration Guide and the Cisco AMP Threat Grid Appliance Administration Guide. Cisco AMP Threat Grid Appliance documentation is available from http://www.cisco.com/c/en/us/support/security/amp-threat-grid-appliances/tsd-products-support-series-home.html.

Use this documentation to perform the tasks described in this topic.

Additional documentation is available from the Help link in the AMP Threat Grid appliance.

In the Administration Guide, search for information about all of the following: integrations with other Cisco appliances, CSA, Cisco Sandbox API, WSA, and Web Security Appliances.

• Set up and configure the Cisco AMP Threat Grid Appliance.

• If necessary, update your Cisco AMP Threat Grid Appliance software to version 1.2.1, which supports integration with Cisco Web Security appliances.

See the AMP Thread Grid documentation for instructions for determining the version number and for performing the update.

• Ensure that your appliances can communicate with each other over your network. Cisco Web Security appliances must be able to connect to the CLEAN interface of the AMP Threat Grid appliance.

For Connection To Destination Network Gateway

The file reputation service Host name of the Cloud Server Pool, as configured in Security Services > Anti-Malware and Reputation, Advanced section: Advanced Settings for File Reputation.

IP address of the gateway for the data port

The file analysis service Host name of the File Analysis Server, as configured in Security Services > Anti-Malware and Reputation, Advanced section: Advanced Settings for File Analysis.

IP address of the gateway for the data port

http://www.cisco.com/c/en/us/support/security/amp-threat-grid-appliances/tsd-products-support-series-home.html

http://www.cisco.com/c/en/us/support/security/amp-threat-grid-appliances/tsd-products-support-series-home.html



• If you will deploy a self-signed certificate: Generate a self-signed SSL certificate from the Cisco AMP Threat Grid appliance to be used on your Web Security appliance. See instructions for downloading SSL certificates and keys in the administrator’s guide for your AMP Threat Grid appliance. Be sure to generate a certificate that has the hostname of your AMP Threat Grid appliance as CN. The default certificate from the AMP Threat Grid appliance does NOT work.

• Registration of your Web Security appliance with your Threat Grid appliance occurs automatically when you submit the configuration for File Analysis, as described in Enabling and Configuring File Reputation and Analysis Services, page 14-7. However, you must activate the registration as described in the same procedure.

Enabling and Configuring File Reputation and Analysis Services

Before You Begin

• Acquire feature keys for the file reputation service and the file analysis service.

• Meet the Requirements for Communication with File Reputation and Analysis Services, page 14-5.

• Ensure that a Data network interface is enabled on the appliance if you want to use a Data network interface for File Reputation and Analysis services. See Enabling or Changing Network Interfaces, page 2-18.

• Verify connectivity to the update servers configured in Configuring Upgrade and Service Update Settings, page 22-32.

• If you will use a Cisco AMP Threat Grid Appliance as a private cloud file analysis server, see Configuring an On-Premises File Analysis Server, page 14-6.

Step 1 Select Security Services > Anti-Malware and Reputation .


Step 3 In the Advanced Malware Protection Services section, select Enable File Reputation Filtering.

Step 4 Accept the license agreement if presented.

Step 5 In the Advanced Malware Protection Services section, select Enable File Analysis.

Step 6 In the File Analysis section, select the file types to send to the cloud for analysis.

Note Cisco periodically checks for potentially malicious file types to prevent zero day threats. If new threats are identified, details of such file types are sent to your appliance through updater servers. Select the Other potentially malicious file types option to enable this functionality. If you enable this functionality, your appliance will send such file types for analysis in addition to the file types you have selected.



Step 7 Adjust the following Advanced Settings for File Reputation as needed:

Note Do not change any other settings in this section without guidance from Cisco support.

Step 8 If you will use the cloud service for file analysis:

a. Select Advanced Settings for File Analysis.

b. Choose the cloud server that is physically nearest to your Web Security appliances.

Newly available servers will be added to this list periodically using standard update processes.

Step 9 If you will use an on-premises Cisco AMP Threat Grid appliance for file analysis:

Configure Advanced Settings for File Analysis:


Step 11 If you are using an on-premises Cisco AMP Threat Grid appliance, activate the account for this appliance on the AMP Threat Grid appliance.

Option Description

Routing Table The routing table (associated with an appliance network interface type, either Management or Data) to be used for Advanced Malware Protection services. If the appliance has both the Management interface and one or more Data interfaces enabled, you can select Management or Data.

SSL Communication for File Reputation Check Use SSL (Port 443) to communicate on port 443 instead of the default port, 32137.

This option also allows you to configure an upstream proxy for communication with the file reputation service.

Note SSL communication over port 32137 may require you to open that port in your firewall.

Reputation Threshold

• Use value from Cloud Service

• Enter custom value

The upper limit for acceptable file reputation scores. Scores above this threshold indicate the file is infected.

Option Description

File Analysis Server URL

Select Private cloud.

Server URL of the on-premises Cisco AMP Threat Grid Appliance. Use the hostname, not the IP address, for this value and for the certificate.

Certificate Upload a self-signed certificate that you have generated from your on-premises Cisco AMP Threat Grid Appliance.

The most recently uploaded self-signed certificate is used. It is not possible to access a certificate uploaded prior to the most recent certificate; if needed, upload the desired certificate again.



Complete instructions for activating the "user" account are available in the AMP Threat Grid documentation.

a. Note the File Analysis Client ID that appears at the bottom of the section. This identifies the "user" that you will activate.

b. Sign in to the AMP Threat Grid appliance.

c. Select Welcome... > Manage Users and navigate to User Details.

d. Locate the "user" account based on the File Analysis Client ID of your Web Security appliance.

e. Activate this "user" account for your appliance.

(Public Cloud File Analysis Services Only) Configuring Appliance Groups In order to allow all content security appliances in your organization to view file analysis result details in the cloud for files sent for analysis from any appliance in your organization, you need to join all appliances to the same appliance group.


Step 2 In the Appliance Grouping for File Analysis Cloud Reporting section, enter the File Analysis Cloud Reporting Group ID.

• If this is the first appliance being added to the group, provide a useful identifier for the group.

• This ID is case-sensitive, and cannot contain spaces.

• The ID you provide must be identical on all appliances that will share data about files that are uploaded for analysis. However, the ID is not validated on subsequent group appliances.

• If you enter the Group ID incorrectly or need to change it for any other reason, you must open a case with Cisco TAC.

• This change takes effect immediately; it does not require a Commit.

• All appliances in the group must be configured to use the same File Analysis server in the cloud.

• An appliance can belong to only one group.

• You can add a machine to a group at any time, but you can do it only once.

• You can add a machine to a group at any time, but you can do it only once.

Step 3 Click Add Appliance to Group.

Which Appliances Are In the Analysis Group?


Step 2 In the Appliance Grouping for File Analysis Cloud Reporting section, click View Appliances in Group.

Step 3 To view the File Analysis Client ID of a particular appliance, look in the following location:



Configuring File Reputation and Analysis Service Action Per Access Policy

Step 1 Select Web Security Manager > Access Policies.

Step 2 Click the link in the Anti-Malware and Reputation column for a policy in the table.

Step 3 In the Advanced Malware Protection Settings section, select Enable File Reputation Filtering and File Analysis.

If File Analysis is not enabled globally, only File Reputation Filtering is offered.

Step 4 Select an action for Known Malicious and High-Risk Files: Monitor or Block.

The default is Monitor.


Ensuring That You Receive Alerts About Advanced Malware Protection IssuesEnsure that the appliance is configured to send you alerts related to Advanced Malware Protection.

You will receive alerts when:

Appliance Location of File Analysis Client ID

Email Security appliance

Advanced Settings for File Analysis section on the Security Services > File Reputation and Analysis page.

Web Security appliance

Advanced Settings for File Analysis section on the Security Services > Anti-Malware and Reputation page.

Security Management appliance

At the bottom of the Management Appliance > Centralized Services > Security Appliances page.

Alert Description Type Severity

Feature keys expire (As is standard for all features)

The file reputation or file analysis service is unreachable. Anti-Malware Warning

Communication with cloud services is established. Anti-Malware Info

A file reputation verdict changes. Anti-Malware Info

File types that can be sent for analysis have changed. You may want to enable upload of new file types.

Anti-Malware Info


Chapter 14 File Reputation Filtering and File Analysis File Reputation and File Analysis Reporting and Tracking

Related Topics

• Several Alerts About Failure to Connect to File Reputation or File Analysis Servers, page 14-14


Configuring Centralized Reporting for Advanced Malware Protection Features If you will centralize reporting on a Security Management appliance, see important configuration requirements in the Advanced Malware Protection sections in the web reporting chapter of the online help or user guide for your management appliance.

File Reputation and File Analysis Reporting and Tracking • Identifying Files by SHA-256 Hash, page 14-11

• File Reputation and File Analysis Report Pages, page 14-12

• Viewing File Reputation Filtering Data in Other Reports, page 14-13

• About Web Tracking and Advanced Malware Protection Features, page 14-13

Identifying Files by SHA-256 Hash Because filenames can easily be changed, the appliance generates an identifier for each file using a Secure Hash Algorithm (SHA-256). If an appliance processes the same file with different names, all instances are recognized as the same SHA-256. If multiple appliances process the same file, all instances of the file have the same SHA-256 identifier.

In most reports, files are listed by their SHA-256 value (in an abbreviated format). To identify the filenames associated with a malware instance in your organization, select Reporting > Advanced Malware Protection and click an SHA-256 link in the table. The details page shows associated filenames.

Analysis of some file types is temporarily unavailable. Anti-Malware Warning

Analysis of all supported file types is restored after a temporary outage.

Anti-Malware Info

Alert Description Type Severity


Chapter 14 File Reputation Filtering and File Analysis File Reputation and File Analysis Reporting and Tracking

File Reputation and File Analysis Report Pages

Report Description


Shows file-based threats that were identified by the file reputation service.

To see the users who tried to access each SHA, and the filenames associated with that SHA-256, click a SHA-256 in the table.

Clicking the link at the bottom of Malware Threat File Details report page displays all instances of the file in Web Tracking that were encountered within the maximum available time range, regardless of the time range selected for the report.

For files with changed verdicts, see the AMP Verdict updates report. Those verdicts are not reflected in the Advanced Malware Protection report.

Note If one of the extracted files from a compressed or an archive file is malicious, only SHA value of the compressed or archive file is included in the Advanced Malware Protection report.

File Analysis Displays the time and verdict (or interim verdict) for each file sent for analysis.

Files that are whitelisted on the Cisco AMP Threat Grid appliance show as "clean." For information about whitelisting, see the AMP Threat Grid online help.

To view more than 1000 File Analysis results, export the data as a .csv file.

Drill down to view detailed analysis results, including the threat characteristics and score for each file.

You can also view additional details about an SHA directly on the AMP Threat Grid appliance or cloud server that performed the analysis by searching for the SHA or by clicking the Cisco AMP Threat Grid link at the bottom of the file analysis details page.

Note If extracted files from a compressed or an archive file are sent for file analysis, only SHA values of these extracted files are included in the File Analysis report.

AMP Verdict Updates Lists the files processed by this appliance for which the verdict has changed since the transaction was processed. For information about this situation, see File Threat Verdict Updates, page 14-1.

To view more than 1000 verdict updates, export the data as a .csv file.

In the case of multiple verdict changes for a single SHA-256, this report shows only the latest verdict, not the verdict history.

Clicking an SHA-256 link displays web tracking results for all transactions that included this SHA-256 within the maximum available time range, regardless of the time range selected for the report.

To view all affected transactions for a particular SHA-256 within the maximum available time range (regardless of the time range selected for the report) click the link at the bottom of the Malware Threat Files page.


Chapter 14 File Reputation Filtering and File Analysis Taking Action When File Threat Verdicts Change

Viewing File Reputation Filtering Data in Other Reports Data for file reputation and analysis is available in other reports where relevant. A "Blocked by Advanced Malware Protection" column may be hidden by default in applicable reports. To display additional columns, click the Columns link below the table.

The Report by User Location includes an Advanced Malware Protection tab.

About Web Tracking and Advanced Malware Protection Features When searching for file threat information in Web Tracking, keep the following points in mind:

• To search for malicious files found by the file reputation service, select Known Malicious and High-Risk Files for the Filter by Malware Category option in the Malware Threat area in the Advanced section in Web Tracking.

• Web Tracking includes only information about file reputation processing and the original file reputation verdicts returned at the time a transaction was processed. For example, if a file was initially found to be clean, then a verdict update found the file to be malicious, only the clean verdict appears in Tracking results.

"Block - AMP" in search results means the transaction was blocked because of the file's reputation verdict.

In Tracking details, the "AMP Threat Score" is the best-effort score that the cloud reputation service provides when it cannot determine a clear verdict for the file. In this situation, the score is between 1 and 100. (Ignore the AMP Threat Score if an AMP Verdict is returned or if the score is zero.) The appliance compares this score to the threshold score (configured on the Security Services > Anti-Malware and Reputation page) to determine what action to take. By default, files with scores between 60 and 100 are considered malicious. Cisco does not recommend changing the default threshold score. The WBRS score is the reputation of the site from which the file was downloaded; this score is not related to the file reputation.

• Verdict updates are available only in the AMP Verdict Updates report. The original transaction details in Web Tracking are not updated with verdict changes. To see transactions involving a particular file , click a SHA-256 in the verdict updates report.

• Information about File Analysis, including analysis results and whether or not a file was sent for analysis, are available only in the File Analysis report.

Additional information about an analyzed file may be available from the cloud or on-premises File Analysis server. To view any available File Analysis information for a file, select Reporting > File Analysis and enter the SHA-256 to search for the file, or click the SHA-256 link in Web Tracking details. If the File Analysis service has analyzed the file from any source, you can see the details. Results are displayed only for files that have been analyzed.

If the appliance processed a subsequent instance of a file that was sent for analysis, those instances will appear in Web Tracking search results.

Taking Action When File Threat Verdicts Change

Step 1 View the AMP Verdict Updates report.

Step 2 Click the relevant SHA-256 link to view web tracking data for all transactions involving that file that end users were allowed to access.


Chapter 14 File Reputation Filtering and File Analysis Troubleshooting File Reputation and Analysis

Step 3 Using the tracking data, identify the users that may have been compromised, as well as information such as the file names involved in the breach and the web site from which the file was downloaded.

Step 4 Check the File Analysis report to see if this SHA-256 was sent for analysis, to understand the threat behavior of the file in more detail.

Related Topics

• File Threat Verdict Updates, page 14-1

Troubleshooting File Reputation and Analysis • Log Files, page 14-14

• Several Alerts About Failure to Connect to File Reputation or File Analysis Servers, page 14-14

• API Key Error (On-Premises File Analysis), page 14-15

• Files are Not Uploaded As Expected, page 14-15

• File Analysis Details in the Cloud Are Incomplete, page 14-15

• Alerts about File Types That Can Be Sent for Analysis, page 14-16

Log Files In logs:

• AMP and amp refer to the file reputation service or engine.

• Retrospective refers to verdict updates.

• VRT and sandboxing refer to the file analysis service.

Information about Advanced Malware Protection including File Analysis is logged in Access Logs or in AMP Engine Logs. For more information, see the chapter on monitoring system activity through logs.

In the log message "Response received for file reputation query" possible values for "upload action" are:

• 0: The file is known to the reputation service; do not send for analysis.

• 1: Send

• 2: The file is known to the reputation service; do not send for analysis.

Several Alerts About Failure to Connect to File Reputation or File Analysis Servers

Problem You receive several alerts about failures to connect to the file reputation or analysis services in the cloud. (A single alert may indicate only a transient issue.)

Solution

• Ensure that you have met the requirements in Requirements for Communication with File Reputation and Analysis Services, page 14-5.



• Check for network issues that may prevent the appliance from communicating with the cloud services.

• Increase the Query Timeout value:

Select Security Services > Anti-Malware and Reputation . The Query Timeout value is in the Advanced settings area of the Advanced Malware Protection Services section.

API Key Error (On-Premises File Analysis)

Problem You receive an API key alert when attempting to view File Analysis report details, or the Web Security appliance is unable to connect to the AMP Threat Grid server to upload files for analysis.

Solution This error can occur if you change the hostname of the AMP Threat Grid server and you are using a self-signed certificate from the AMP Threat Grid server, as well as possibly under other circumstances. To resolve the issue:

• Generate a new certificate from the AMP Threat Grid appliance that has the new hostname.

• Upload the new certificate to the Web Security appliance.

• Reset the API key on the AMP Threat Grid appliance. For instructions, see the online help on the AMP Threat Grid appliance.

Related Topics


Files are Not Uploaded As Expected

Problem Files are not evaluated or analyzed as expected. There is no alert or obvious error.

Problem Consider the following:

• The file may have been sent for analysis by another appliance and thus already be present on the File Analysis server or in the cache of the appliance that is processing the file.

• Check the maximum file size limit configured for the DVS Engine Object Scanning Limits on the Security Services > Anti-Malware and Reputation page. This limit applies to Advanced Malware Protection features.

File Analysis Details in the Cloud Are Incomplete

Problem Complete file analysis results in the public cloud are not available for files uploaded from other Web Security appliances in my organization.

Solution Be sure to group all appliances that will share file analysis result data. See (Public Cloud File Analysis Services Only) Configuring Appliance Groups, page 14-9. This configuration must be done on each appliance in the group.



Alerts about File Types That Can Be Sent for Analysis

Problem You receive alerts of severity Info about file types that can be sent for file analysis.

Solution This alert is sent when supported file types change, or when the appliance checks to see what file types are supported. This can occur when:

• You or another administrator changes the file types selected for analysis.

• Supported file types change temporarily based on availability in the cloud service. In this case, support for the file types selected on the appliance will be restored as soon as possible. Both processes are dynamic and do not require any action from you.

• The appliance restarts, for example as part of an AsyncOS upgrade.

C H A P T E R


15Managing Access to Web Applications

• Overview of Managing Access to Web Applications, page 15-1

• Enabling the AVC Engine, page 15-2

• Policy Application Control Settings, page 15-3

• Controlling Bandwidth, page 15-5

• Controlling Instant Messaging Traffic, page 15-8

• Viewing AVC Activity, page 15-8

Overview of Managing Access to Web ApplicationsThe Application Visibility and Control (AVC) engine lets you create policies to control application activity on the network without having to fully understand the underlying technology of each application. You can configure application control settings in Access Policy groups. You can block or allow applications individually or according to application type. You can also apply controls to particular application types.

Using Access Policies you can:

• Control application behaviors

• Control the amount of bandwidth used for particular application types

• Notify end-users when they are blocked

• Assign controls to Instant Messaging, Blogging and Social Media applications

• Specify Range Request settings

To control applications using the AVC engine, perform the following tasks:

Task Link to Task

Enable the AVC engine Enabling the AVC Engine, page 15-2

Set Controls in an Access Policy Group Configuring Application Control Settings in an Access Policy Group, page 15-5

Limit bandwidth consumed by some application types to control congestion

Controlling Bandwidth, page 15-5

Allow instant messaging traffic, but disallow file sharing using instant messenger

Controlling Instant Messaging Traffic, page 15-8


Chapter 15 Managing Access to Web Applications Enabling the AVC Engine

Enabling the AVC EngineEnable the AVC engine when you enable the Acceptable Use Controls.

Note You can view the AVC engine scanning activity in the Application Visibility report on the Reporting > Application Visibility page.


Step 2 Click Enable or Edit Global Settings, depending on the current status of the Acceptable Use Controls.

Step 3 Be sure Enable Cisco Web Usage Controls is checked.

Step 4 In the Acceptable Use Controls Service panel, select Cisco Web Usage Controls, and then select Enable Application Visibility and Control.

Step 5 Select the Default Action for Unreachable Service: Monitor or Block.


Related Topics

• AVC Engine Updates and Default Actions, page 15-2

• User Experience When Requests Are Blocked by the AVC Engine, page 15-3

AVC Engine Updates and Default Actions AsyncOS periodically queries the update servers for new updates to all security service components, including the AVC engine. AVC engine updates can include support for new application types and applications, as well as updated support for existing applications if any application behaviors change. By updating the AVC engine between AsyncOS version updates, the Web Security appliance remains flexible without requiring a server upgrade.

AsyncOS for Web assigns the following default actions for the Global Access Policy:

• New Application Types default to Monitor.

• New application behaviors, such as block file transfer within a particular application; defaults to Monitor.

• New applications for an existing application type default to the Application Type’s default.

Note In the Global Access Policy, you can set the default action for each Application Type, so new applications introduced in an AVC engine update automatically inherit the specified default action. See Configuring Application Control Settings in an Access Policy Group, page 15-5.


Chapter 15 Managing Access to Web Applications Policy Application Control Settings

User Experience When Requests Are Blocked by the AVC Engine When the AVC engine blocks a transaction, the Web Proxy sends a block page to the end user. However, not all Websites display the block page to the end user; many Websites display dynamic content using JavaScript instead of a static Web page and are not likely to display the block page. Users are still properly blocked from downloading malicious data, but they may not always be informed of this by the Website.

Policy Application Control SettingsControlling applications involves configuring the following elements:

You can configure application control settings in Access Policy groups. On the Web Security Manager > Access Policies page, click the Applications link for the policy group you want to configure. When configuring applications, you can choose the following actions:

Related Topics

• Range Request Settings, page 15-3

• Rules and Guidelines for Configuring Application Control, page 15-4

Range Request SettingsWhen HTTP range requests are disabled and a large file is downloaded over multiple streams, the consolidated package is scanned. This disables the performance advantages of download-management utilities and applications that are used to download large objects.

Option Description

Application Types A category that contains one or more applications.

Applications Particular applications within an Application Type.

Application behaviors Particular actions or behaviors that users can do within an application that administrators can control. Not all applications include behaviors you can configure.

Option Description

Block This action is a final action. Users are prevented from viewing a webpage and instead an end-user notification page displays

Monitor This action is an intermediary action. The Web Proxy continues comparing the transaction to the other control settings to determine which final action to apply

Restrict This action indicates that an application behavior is blocked. For example, when you block file transfers for a particular instant messaging application, the action for that application is Restrict.

Bandwidth Limit For certain applications, such as Media and Facebook, you can limit the bandwidth available for Web traffic. You can limit bandwidth for the application itself, and for its users.


Chapter 15 Managing Access to Web Applications Policy Application Control Settings

Alternatively, when Range Request Forwarding is enabled (see Configuring Web Proxy Settings, page 4-3), you can control how incoming range requests are handled on a per-policy basis. This process is known as “byte serving” and is a means of bandwidth optimization when requesting large files.

However, enabling range request forwarding can interfere with policy-based Application Visibility and Control (AVC) efficiency, and can compromise security. Please exercise caution and enable HTTP Range Request Forwarding only if the advantages outweigh the security implications.

Note The Range Request Settings are read-only when Range Request Forwarding is not enabled. and also when it is enabled but all applications are set to Monitor. The settings are available when at least one application is set to Block, Restrict, or Throttle.

Rules and Guidelines for Configuring Application Control Consider the following rules and guidelines when configuring application control settings:

• The supported Application Types, applications, and application behaviors may change between AsyncOS for Web upgrades, or after AVC engine updates.

• When you enable Safe Search or Site Content Rating, the AVC Engine is tasked with identifying applications for safe browsing. As one of the criteria, the AVC engine will scan the response body to detect a search application. As a result, the appliance will not forward range headers.

• In Application Type listings, the summary for each Application Type lists the final actions for its applications, but does not indicate whether these actions are inherited from the global policy or configured in the current Access Policy. To learn more about the action for a particular application, expand the application type.

• In the Global Access Policy, you can set the default action for each Application Type, so new applications introduced in an AVC engine update automatically inherit the default action.

• You can quickly configure the same action for all applications in an application type by clicking the “edit all” link for the Application Type in Browse view. However, you can only configure the application action, not application behavior actions. To configure application behaviors, you must edit the application individually.

• In Search view, when you sort the table by the action column, the sort order is by the final action. For example, “Use Global (Block)” comes after “Block” in the sort order.

• Decryption may cause some applications to fail unless the root certificate for signing is installed on the client.

Range Request Settings for Policy

Range Request Settings

• Do not forward range requests – Any request for a portion of a file is not forwarded; the entire file is returned.

• Forward range requests – If the requested range is valid, it is forwarded and the target server will return the only requested portion of the desired file.

Exception list You can specify traffic destinations which are exempt from the current forwarding selection. That is, when Do not forward range requests is selected, you can specify destinations for which requests are forwarded. Similarly, when Forward range requests is selected, you can specify destinations for which requests are not forwarded.


Chapter 15 Managing Access to Web Applications Controlling Bandwidth

Related Topics

• Configuring Application Control Settings in an Access Policy Group, page 15-5

• Configuring Overall Bandwidth Limits, page 15-6

• Viewing AVC Activity, page 15-8

Configuring Application Control Settings in an Access Policy Group


Step 2 Click the link in the Policies table under the Applications column for the policy group you want to edit.

Step 3 When configuring the Global Access Policy:

a. Define the default action for each Application Type in the Default Actions for Application Types section.

b. You can edit the default actions for each Application Type’s individual members, as a group or individually, in the Edit Applications Settings section of the page. Editing the default action for individual applications is described in the following steps.

Step 4 When configuring a user defined Access Policy, choose Define Applications Custom Settings in the Edit Applications Settings section.

Step 5 In the Application Settings area, choose Browse view or Search view from the drop-down menu:

• Browse view. You can browse Application Types. You can use Browse view to configure all applications of a particular type at the same time. When an Application Type is collapsed in Browse view, the summary for the Application Type lists the final actions for its applications; however it does not indicate whether the actions are inherited from the global policy, or configured in the current Access Policy.

• Search view. You can search for applications by name. You might use Search view when the total list of applications is long and you need to quickly find and configure a particular application.

Step 6 Configure the action for each application and application behavior.

Step 7 Configure the bandwidth controls for each applicable application.


Related Topics

• Controlling Bandwidth, page 15-5

Controlling BandwidthWhen both the overall limit and user limit applies to a transaction, the most restrictive option applies. You can define bandwidth limits for particular URL categories by defining an Identity group for a URL category and using it in an Access Policy that restricts the bandwidth.

You can define the following bandwidth limits:



Note Defining bandwidth limits only throttles the data going to users. It does not block data based on reaching a quota. The Web Proxy introduces latency into each application transaction to mimic a slower link to the server.

Configuring Overall Bandwidth Limits

Step 1 Choose Web Security Manager > Overall Bandwidth Limits


Step 3 Select the Limit to option.

Step 4 Enter the amount of traffic to limit in either Megabits per second (Mbps) or kilobits per second (kbps).


Configuring User Bandwidth LimitsYou can define user bandwidth limits by configuring bandwidth control settings on the Applications Visibility and Control page of Access Policies. You can define the following types of bandwidth controls for users in Access Policies:

Bandwidth limit

Description Link to Task

Overall Define an overall limit for all users on the network for the supported application types. The overall bandwidth limit affects the traffic between the Web Security appliance and web servers. It does not limit traffic served from the web cache.

Configuring Overall Bandwidth Limits, page 15-6

User Define a limit for particular users on the network per application type. User bandwidth limits traffic from web servers as well as traffic served from the web cache.

Configuring User Bandwidth Limits, page 15-6

Option Description Link to task

Default bandwidth limit for an application type

In the Global Access Policy, you can define the default bandwidth limit for all applications of an application type.

Configuring the Default Bandwidth Limit for an Application Type, page 15-7



Configuring the Default Bandwidth Limit for an Application Type


Step 2 Click the link in the policies table under the Applications column for the Global Access Policy.

Step 3 In the Default Actions for Application Types section, click the link next to “Bandwidth Limit” for the application type you want to edit.

Step 4 Select Set Bandwidth Limit and enter the amount of traffic to limit in either Megabits per second (Mbps) or kilobits per second (kbps).

Step 5 Click Apply.


Overriding the Default Bandwidth Limit for an Application Type

You can override the default bandwidth limit defined at the Global Access Policy group in the user defined Access Policies. You can only do this in Browse view.


Step 2 Click the link in the policies table under the Applications column for the user defined policy group you want to edit.

Step 3 Choose Define Applications Custom Settings in the Edit Applications Settings section.

Step 4 Click the link next to “Bandwidth Limit” for the application type you want to edit.

Step 5 To choose a different bandwidth limit value, select Set Bandwidth Limit and enter the amount of traffic to limit in either Megabits per second (Mbps) or kilobits per second (kbps). To specify no bandwidth limit, select No Bandwidth Limit for Application Type.

Step 6 Click Apply.


Configuring Bandwidth Controls for an Application


Bandwidth limit for an application type

In a user defined Access Policy, you can override the default bandwidth limit for the application type defined in the Global Access Policy.

Overriding the Default Bandwidth Limit for an Application Type, page 15-7

Bandwidth limit for an application

In a user defined or Global Access Policy, you can choose to apply the application type bandwidth limit or no limit (exempt the application type limit).

Configuring Bandwidth Controls for an Application, page 15-7

Option Description Link to task


Chapter 15 Managing Access to Web Applications Controlling Instant Messaging Traffic

Step 2 Click the link in the policies table under the Applications column for the policy group you want to edit.

Step 3 Expand the application type that contains the application you want to define.

Step 4 Click the link for the application you want to configure.

Step 5 Select Monitor, and then choose to use either the bandwidth limit defined for the application type or no limit.

Note The bandwidth limit setting is not applicable when the application is blocked or when no bandwidth limit is defined for the application type.

Step 6 Click Done.


Controlling Instant Messaging TrafficYou can block or monitor the IM traffic, and depending on the IM service, you can block particular activities (also known as application behaviors) in an IM session.


Step 2 Click the link in the policies table under the Applications column for the policy group you want to edit.

Step 3 Click Define Applications Custom Setting.

Step 4 Expand the Instant Messaging application type.

Step 5 Click the link next to the IM application you want to configure.

Step 6 To block all traffic for this IM application, select Block.

Step 7 To monitor the IM application, but block particular activities within the application, select Monitor, and then select the application behavior to Block.

Step 8 Click Done.


Viewing AVC ActivityThe Reporting > Application Visibility page displays information about the top applications and application types used. It also displays the top applications and application types blocked.


Chapter 15 Managing Access to Web Applications Viewing AVC Activity

AVC Information in Access Log FileThe access log file records the information returned by the Application Visibility and Control engine for each transaction. The scanning verdict information section in the access logs includes the fields listed below:

Description Custom Field in Access Logs Custom Field in W3C Logs

Application name %XO x-avc-app

Application type %Xu x-avc-type

Application behavior %Xb x-avc-behavior


Chapter 15 Managing Access to Web Applications Viewing AVC Activity

C H A P T E R


16Prevent Loss of Sensitive Data

• Overview of Data Security and External DLP Policies, page 13-1

• Managing Upload Requests, page 13-2

• Managing Upload Requests on an External DLP System, page 16-3

• Evaluating Data Security and External DLP Policy Group Membership, page 16-4

• Creating Data Security and External DLP Policies, page 16-5

• Managing Settings for Upload Requests, page 16-7

• Defining External DLP Systems, page 16-8

• Controlling Upload Requests Using External DLP Policies, page 16-11

• Logging of Data Loss Prevention Scanning, page 16-11

Overview of Prevent Loss of Sensitive DataThe Web Security appliance secures your data by providing the following capabilities:

When the Web Proxy receives an upload request, it compares the request to the Data Security and External DLP Policy groups to determine which policy group to apply. If both types of policies are configured, it compares the request to Cisco Data Security policies before external DLP policies. After it assigns the request to a policy group, it compares the request to the policy group’s configured control settings to determine what to do with the request. How you configure the appliance to handle upload requests depends on the policy group type.

Note Upload requests that try to upload files with a size of zero (0) bytes are not evaluated against Cisco Data Security or External DLP policies.

Option Description

Cisco Data Security filters The Cisco Data Security filters on the Web Security appliance evaluate data leaving the network over HTTP, HTTPS and FTP.

Third-party data loss prevention (DLP) integration

The Web Security appliance integrates with leading third party content-aware DLP systems that identify and protect sensitive data. The Web Proxy uses the Internet Content Adaptation Protocol (ICAP) which allows proxy servers to offload content scanning to external systems


Chapter 16 Prevent Loss of Sensitive Data Managing Upload Requests

To restrict and control data that is leaving the network, you can perform the following tasks:

Bypassing Upload Requests Below a Minimum SizeTo help reduce the number of upload requests recorded in the log files, you can define a minimum request body size, below which upload requests are not scanned by the Cisco Data Security Filters or the external DLP server.

To do this, use the following CLI commands:

• datasecurityconfig. Applies to the Cisco Data Security filters.

• externaldlpconfig. Applies to the configured external DLP servers.

The default minimum request body size is 4 KB (4096 bytes) for both CLI commands. Valid values are 1 to 64 KB. The size you specify applies to the entire size of the upload request body.

Note All chunk encoded uploads and all native FTP transactions are scanned by the Cisco Data Security filters or external DLP servers when enabled. However, they can still be bypassed based on a custom URL category.

User Experience When Requests Are Blocked As Sensitive Data When the Cisco Data Security filters or an external DLP server blocks an upload request, it provides a block page that the Web Proxy sends to the end user. Not all websites display the block page to the end user. For example, some Web 2.0 websites display dynamic content using javascript instead of a static Web page and are not likely to display the block page. Users are still properly blocked from performing data security violations, but they may not always be informed of this by the website.

Managing Upload RequestsBefore You Begin

• Go to Security Services > Data Security Filters to enable the Cisco Data Security filters.

Task Link to Task

Create Cisco Data Security policies Managing Upload Requests, page 13-2

Create External DLP policies Managing Upload Requests on an External DLP System, page 13-3

Create Data Security and External DLP policies Creating Data Security and External DLP Policies, page 16-5

Control Upload Requests using Cisco Data Security policies

Managing Settings for Upload Requests, page 13-7

Control Upload Requests Using External DLP policies

Controlling Upload Requests Using External DLP Policies, page 13-11


Chapter 16 Prevent Loss of Sensitive Data Managing Upload Requests on an External DLP System

Step 1 Create and configure Data Security Policy groups. Cisco Data Security policies use URL filtering, Web reputation, and upload content information when evaluating the upload request. You configure each of these security components to determine whether or not to block the upload request.

When the Web Proxy compares an upload request to the control settings, it evaluates the settings in order. Each control setting can be configured to perform one of the following actions for Cisco Data Security policies:

For Cisco Data Security policies, only the Block action is a final action that the Web Proxy takes on a client request. The Monitor and Allow actions are intermediary actions. In both cases, the Web Proxy evaluates the transaction against the External DLP Policies (if configured) and Access Policies. The Web Proxy determines which final action to apply based on the Access Policy group control settings (or an applicable external DLP Policy that may block the request).

Related Topics

• Managing Upload Requests on an External DLP System, page 13-3


Managing Upload Requests on an External DLP SystemTo configure the Web Security appliance to handle upload requests on an external DLP system, perform the following tasks:

Step 1 Choose Network > External DLP Servers. Define an external DLP system. To pass an upload request to an external DLP system for scanning, you must define at least one ICAP-compliant DLP system on the Web Security appliance.

Step 2 Create and configure External DLP Policy groups. After an external DLP system is defined, you create and configure External DLP Policy groups to determine which upload requests to send to the DLP system for scanning.

Action Description

Block The Web Proxy does not permit the connection and instead displays an end user notification page explaining the reason for the block.

Allow The Web Proxy bypasses the rest of the Data Security Policy security service scanning and then evaluates the request against the Access Policies before taking a final action.

For Cisco Data Security policies, Allow bypasses the rest of data security scanning, but does not bypass External DLP or Access Policy scanning. The final action the Web Proxy takes on the request is determined by the applicable Access Policy (or an applicable external DLP Policy that may block the request).

Monitor The Web Proxy continues comparing the transaction to the other Data Security Policy group control settings to determine whether to block the transaction or evaluate it against the Access Policies.


Chapter 16 Prevent Loss of Sensitive Data Evaluating Data Security and External DLP Policy Group Membership

Step 3 When an upload request matches an External DLP Policy, the Web Proxy sends the upload request to the DLP system using the Internet Content Adaptation Protocol (ICAP) for scanning. The DLP system scans the request body content and returns a block or allow verdict to the Web Proxy. The allow verdict is similar to the Allow action for Cisco Data Security policies in that the upload request will be compared to the Access Policies. The final action the Web Proxy takes on the request is determined by the applicable Access Policy.

Related Topics


• Defining External DLP Systems, page 16-8

Evaluating Data Security and External DLP Policy Group Membership

Each client request is assigned to an Identity and then is evaluated against the other policy types to determine which policy group it belongs for each type. The Web Proxy evaluates upload requests against the Data Security and External DLP policies. The Web Proxy applies the configured policy control settings to a client request based on the client request’s policy group membership.

Matching Client Requests to Data Security and External DLP Policy GroupsTo determine the policy group that a client request matches, the Web Proxy follows a specific process for matching the group membership criteria. It considers the following factors for group membership:

• Identity. Each client request either matches an Identification Profile, fails authentication and is granted guest access, or fails authentication and gets terminated.

• Authorized users. If the assigned Identification Profile requires authentication, the user must be in the list of authorized users in the Data Security or External DLP Policy group to match the policy group. The list of authorized users can be any of the specified groups or users or can be guest users if the Identification Profile allows guest access.

• Advanced options. You can configure several advanced options for Data Security and External DLP Policy group membership. Some options (such as proxy port and URL category) can also be defined within the Identity. When an advanced option is configured in the Identity, it is not configurable in the Data Security or External DLP Policy group level.

The information in this section gives an overview of how the Web Proxy matches upload requests to both Data Security and External DLP Policy groups.

The Web Proxy sequentially reads through each policy group in the policies table. It compares the upload request status to the membership criteria of the first policy group. If they match, the Web Proxy applies the policy settings of that policy group.

If they do not match, the Web Proxy compares the upload request to the next policy group. It continues this process until it matches the upload request to a user defined policy group. If it does not match a user defined policy group, it matches the global policy group. When the Web Proxy matches the upload request to a policy group or the global policy group, it applies the policy settings of that policy group.


Chapter 16 Prevent Loss of Sensitive Data Creating Data Security and External DLP Policies

Creating Data Security and External DLP PoliciesYou can create Data Security and External DLP Policy groups based on combinations of several criteria, such as one or more Identification Profiles or the URL category of the destination site. You must define at least one criterion for policy group membership. When you define multiple criteria, the upload request must meet all criteria to match the policy group. However, the upload request needs to match only one of the configured Identification Profiles.

Step 1 Choose Web Security Manager > Cisco Data Security (for Defining Data Security Policy group membership) or Web Security Manager > External Data Loss Prevention (for Defining External DLP Policy group membership).


Step 3 In the Policy Name field, enter a name for the policy group, and in the Description field (optional) add a description.


Step 4 In the Insert Above Policy field, choose where in the policies table to place the policy group.

When configuring multiple policy groups you must specify a logical order for each group. Order your policy groups to ensure that correct matching occurs.

Step 5 In the Identities and Users section, choose one or more Identification Profile groups to apply to this policy group.


Step 7 To define policy group membership by any of the advanced options, click the link for the advanced option and configure the option on the page that appears.


Protocols Choose whether or not to define policy group membership by the protocol used in the client request. Select the protocols to include.

“All others” means any protocol not listed above this option.

Note When the HTTPS Proxy is enabled, only Decryption Policies apply to HTTPS transactions. You cannot define policy membership by the HTTPS protocol for Access, Routing, Outbound Malware Scanning, Data Security, or External DLP Policies.


Chapter 16 Prevent Loss of Sensitive Data Creating Data Security and External DLP Policies


Step 9 If you are creating a Data Security Policy group, configure its control settings to define how the Web Proxy handles upload requests.

Proxy Ports Choose whether or not to define policy group membership by the proxy port used to access the Web Proxy. Enter one or more port numbers in the Proxy Ports field. Separate multiple ports with commas.

For explicit forward connections, this is the port configured in the browser. For transparent connections, this is the same as the destination port. You might want to define policy group membership on the proxy port if you have one set of clients configured to explicitly forward requests on one port, and another set of clients configured to explicitly forward requests on a different port.

Cisco recommends only defining policy group membership by the proxy port when the appliance is deployed in explicit forward mode, or when clients explicitly forward requests to the appliance. If you define policy group membership by the proxy port when client requests are transparently redirected to the appliance, some requests might be denied.


Subnets Choose whether or not to define policy group membership by subnet or other addresses.

You can choose to use the addresses that may be defined with the associated Identification Profile, or you can enter specific addresses here.

Note If the Identification Profile associated with this policy group defines its membership by addresses, then in this policy group you must enter addresses that are a subset of the addresses defined in the Identification Profile. Adding addresses in the policy group further narrows down the list of transactions that match this policy group.

URL Categories Choose whether or not to define policy group membership by URL categories. Select the user defined or predefined URL categories.


User Agents Choose whether to define policy group membership by the user agents (client applications such as updaters and Web browsers) used in the client request. You can select some commonly defined user agents, or define your own using regular expressions. Specify whether membership definition includes only the selected user agents, or specifically excludes the selected user agents.

Note If the Identification Profile associated with this policy group defines Identification Profile membership by this advanced setting, the setting is not configurable at the non-Identification Profile policy group level.

User Location Choose whether or not to define policy group membership by user location, either remote or local.

This option only appears when the Secure Mobility is enabled.



Chapter 16 Prevent Loss of Sensitive Data Managing Settings for Upload Requests

The new Data Security Policy group automatically inherits global policy group settings until you configure options for each control setting.

If you are creating an External DLP Policy group, configure its control settings to define how the Web Proxy handles upload requests.

The new External DLP Policy group automatically inherits global policy group settings until you configure custom settings.


Related Topics

• Evaluating Data Security and External DLP Policy Group Membership, page 16-4

• Matching Client Requests to Data Security and External DLP Policy Groups, page 16-4



Managing Settings for Upload RequestsEach upload request is assigned to a Data Security Policy group and inherits the control settings of that policy group. The control settings of the Data Security Policy group determine whether the appliance blocks the connection or evaluates it against the Access Polices.

Configure control settings for Data Security Policy groups on the Web Security Manager > Cisco Data Security page.

You can configure the following settings to determine what action to take on upload requests:

After a Data Security Policy group is assigned to an upload request, the control settings for the policy group are evaluated to determine whether to block the request or evaluate it against the Access Policies.

URL CategoriesAsyncOS for Web allows you to configure how the appliance handles a transaction based on the URL category of a particular request. Using a predefined category list, you can choose to monitor or block content by category. You can also create custom URL categories and choose to allow, monitor, or block traffic for a website in the custom category.

Option Link

URL Categories URL Categories, page 13-8

Web Reputation Web Reputation, page 13-8

Content Content Blocking, page 13-8


Chapter 16 Prevent Loss of Sensitive Data Defining External DLP Systems

Web ReputationThe Web Reputation setting inherits the global setting. To customize web reputation filtering for a particular policy group, you can use the Web Reputation Settings pull-down menu to customize web reputation score thresholds.

Only negative and zero values can be configured for web reputation threshold settings for Cisco Data Security policies. By definition, all positive scores are monitored.

Content BlockingYou can use the settings on the Cisco Data Security > Content page to configure the Web Proxy to block data uploads based on the following file characteristics:

• File size. You can specify the maximum upload size allowed. All uploads with sizes equal to or greater than the specified maximum are blocked. You can specify different maximum file sizes for HTTP/HTTPS and native FTP requests.

When the upload request size is greater than both the maximum upload size and the maximum scan size (configured in the “DVS Engine Object Scanning Limits” field on Security Services > Anti-Malware page), the upload request is still blocked, but the entry in the data security logs does not record the file name and content type. The entry in the access logs is unchanged.

• File type. You can block predefined file types or custom MIME types you enter. When you block a predefined file type, you can block all files of that type or files greater than a specified size. When you block a file type by size, the maximum file size you can specify is the same as the value for the “DVS Engine Object Scanning Limits” field on Security Services > Anti-Malware page. By default, that value is 32 MB.

Cisco Data Security filters do not inspect the contents of archived files when blocking by file type. Archived files can be blocked by its file type or file name, not according to its contents.

Note For some groups of MIME types, blocking one type blocks all MIME types in the group. For example, blocking application/x-java-applet blocks all java MIME types, such as application/java and application/javascript.

• File name. You can block files with specified names. You can use text as a literal string or a regular expression for specifying file names to block.

Note Only enter file names with 8-bit ASCII characters. The Web Proxy only matches file names with 8-bit ASCII characters.

Defining External DLP SystemsThe Web Security appliance can integrate with multiple external DLP servers from the same vendor by defining multiple DLP servers in the appliance. You can define the load-balancing technique the Web Proxy uses when contacting the DLP systems. This is useful when you define multiple DLP systems. See SSL Configuration, page 22-23 for information about specifying the protocols used to secure communications with external DLP servers.



Note Verify the external DLP server does not send the Web Proxy modified content. AsyncOS for Web only supports the ability to block or allow upload requests. It does not support uploading content modified by an external DLP server.

Configuring External DLP Servers

Step 1 Choose Network > External DLP Servers.


Setting Description

Protocol for External DLP Servers

Choose either:

• ICAP – DLP client/server ICAP communications are not encrypted.

• Secure ICAP – DLP client/server ICAP communications are via an encrypted tunnel. Additional related options appear.

External DLP Servers Enter the following information to access an ICAP compliant DLP system:

• Server address and Port – The hostname or IP address and TCP port for accessing the DLP system.

• Reconnection attempts – The number of times the Web Proxy tries to connect to the DLP system before failing.

• Service URL – The ICAP query URL specific to the particular DLP server. The Web Proxy includes what you enter here in the ICAP request it sends to the external DLP server. The URL must start with the ICAP protocol: icap://

• Certificate (optional) – The certificate provided to secure each External DLP Server connection can be Certificate Authority (CA)-signed or self-signed. Obtain the certificate from the specified server, and then upload it to the appliance:

– Browse to and select the certificate file, and then click Upload File.

Note This single file must contain both the client certificate and private key in unencrypted form.

– Use this certificate for all DLP servers using Secure ICAP – Check this box to use the same certificate for all External DLP Servers you define here. Leave the option unchecked to enter a different certificate for each server.

• Start Test – You can test the connection between the Web Security appliance and the defined external DLP server(s) by clicking Start Test.



Step 3 (Optional) You can add another DLP server by clicking Add Row and entering the DLP Server information in the new fields provided.


Load Balancing If multiple DLP servers are defined, select which load-balancing technique the Web Proxy uses to distribute upload requests to different DLP servers. You can choose the following load balancing techniques:

• None (failover). The Web Proxy directs upload requests to one DLP server. It tries to connect to the DLP servers in the order they are listed. If one DLP server cannot be reached, the Web Proxy attempts to connect to the next one in the list.

• Fewest connections. The Web Proxy keeps track of how many active requests are with the different DLP servers and it directs the upload request to the DLP server currently servicing the fewest number of connections.

• Hash based. The Web Proxy uses a hash function to distribute requests to the DLP servers. The hash function uses the proxy ID and URL as inputs so that requests for the same URL are always directed to the same DLP server.

• Round robin. The Web Proxy cycles upload requests equally among all DLP servers in the listed order.

Service Request Timeout

Enter how long the Web Proxy waits for a response from the DLP server. When this time is exceeded, the ICAP request has failed and the upload request is either blocked or allowed, depending on the Failure Handling setting.

Default is 60 seconds.

Maximum Simultaneous Connections

Specifies the maximum number of simultaneous ICAP request connections from the Web Security appliance to each configured external DLP server. The Failure Handling setting on this page applies to any request which exceeds this limit.

Default is 25.

Failure Handling Choose whether upload requests are blocked or allowed (passed to Access Policies for evaluation) when the DLP server fails to provide a timely response.

Default is allow (“Permit all data transfers to proceed without scanning”).

Trusted Root Certificate

Browse to and select the trusted-root certificate for the certificate(s) provided with the External DLP Servers, and then click Upload File. See Certificate Management, page 22-25 for additional information.

Invalid Certificate Options

Specify how various invalid certificates are handled: Drop or Monitor.

Server Certificates This section displays all DLP server certificates currently available on the appliance.

Setting Description


Chapter 16 Prevent Loss of Sensitive Data Controlling Upload Requests Using External DLP Policies

Controlling Upload Requests Using External DLP PoliciesOnce the Web Proxy receives the upload request headers, it has the information necessary to decide if the request should go to the external DLP system for scanning. The DLP system scans the request and returns a verdict to the Web Proxy, either block or monitor (evaluate the request against the Access Policies).

Step 1 Choose Web Security Manager > External Data Loss Prevention.

Step 2 Click the link under the Destinations column for the policy group you want to configure.

Step 3 Under the Edit Destination Settings section, choose “Define Destinations Scanning Custom Settings.”

Step 4 In the Destination to scan section, choose one of the following options:

• Do not scan any uploads. No upload requests are sent to the configured DLP system(s) for scanning. All upload requests are evaluated against the Access Policies.

• Scan all uploads. All upload requests are sent to the configured DLP system(s) for scanning. The upload request is blocked or evaluated against the Access Policies depending on the DLP system scanning verdict.

• Scan uploads to specified custom URL categories only. Upload requests that fall in specific custom URL categories are sent to the configured DLP system for scanning. The upload request is blocked or evaluated against the Access Policies depending on the DLP system scanning verdict. Click Edit custom categories list to select the URL categories to scan.


Logging of Data Loss Prevention Scanning The access logs indicate whether or not an upload request was scanned by either the Cisco Data Security filters or an external DLP server. The access log entries include a field for the Cisco Data Security scan verdict and another field for the External DLP scan verdict based.

In addition to the access logs, the Web Security appliance provides the following log file types to troubleshoot Cisco Data Security and External DLP Policies:

• Data Security Logs. Records client history for upload requests that are evaluated by the Cisco Data Security filters.

• Data Security Module Logs. Records messages related to the Cisco Data Security filters.

• Default Proxy Logs. In addition recording errors related to the Web Proxy, the default proxy logs include messages related to connecting to external DLP servers. This allows you to troubleshoot connectivity or integration problems with external DLP servers.

The following text illustrates a sample Data Security Log entry:

Mon Mar 30 03:02:13 2009 Info: 303 10.1.1.1 - - <<bar,text/plain,5120><foo,text/plain,5120>> BLOCK_WEBCAT_IDS-allowall-DefaultGroup-DefaultGroup-NONE-DefaultRouting ns server.com nc


Chapter 16 Prevent Loss of Sensitive Data Logging of Data Loss Prevention Scanning

Note To learn when data transfer, such as a POST request, to a site was blocked by the external DLP server, search for the IP address or hostname of the DLP server in the access logs.

Field Value Description

Mon Mar 30 03:02:13 2009 Info: Timestamp and trace level

303 Transaction ID

10.1.1.1 Source IP address

- User name

- Authorized group names

<<bar,text/plain,5120><foo,text/plain,5120>>

File name, file type, file size for each file uploaded at once

Note This field does not include text/plain files that are less than the configured minimum request body size, the default of which is 4096 bytes.

BLOCK_WEBCAT_IDS-allowall-DefaultGroup-DefaultGroup-NONE-DefaultRouting

Cisco Data Security policy and action

ns Web reputation score

server.com Outgoing URL

nc URL category

C H A P T E R


17Notify End-Users of Proxy Actions

• End-User Notifications Overview, page 17-1

• Configuring General Settings for Notification Pages, page 17-2

• End-User Acknowledgment Page, page 17-2

• End-User Notification Pages, page 17-5

• Configuring the End-User URL Filtering Warning Page, page 17-9

• Configuring FTP Notification Messages, page 17-9

• Custom Messages on Notification Pages, page 17-10

• Editing Notification Page HTML Files Directly, page 17-12

• Notification Page Types, page 17-15

End-User Notifications OverviewYou can configure the following types of notifications for end users:

Option Description Further information

End-user acknowledgement page

Informs end users that their web activity is being filtered and monitored. An end-user acknowledgment page is displayed when a user first accesses a browser after a certain period of time.

End-User Acknowledgment Page, page 17-2

End-user notification pages

Page shown to end users when access to a particular page is blocked, specific to the reason for blocking it.

End-User Notification Pages, page 17-5

End-user URL filtering warning page

Warns end users that a site they are accessing does not meet your organization’s acceptable use policies, and allows them to continue if they choose.

Configuring the End-User URL Filtering Warning Page, page 17-9


Chapter 17 Notify End-Users of Proxy Actions Configuring General Settings for Notification Pages

Configuring General Settings for Notification PagesSpecify display languages and logo for notification pages. Restrictions are described in this procedure.

Step 1 Select Security Services > End-User Notification.


Step 3 In the General Settings section, select the language the Web Proxy should use when displaying notification pages.

• The HTTP language setting applies to all HTTP notification pages (acknowledgment, on-box end-user, customized end-user, and end-user URL filtering warning).

• The FTP language applies to all FTP notification messages.

Step 4 Choose whether or not to use a logo on each notification page. You can specify the Cisco logo or any graphic file referenced at the URL you enter in the Use Custom Logo field.

This setting applies to all HTTP notification pages served over IPv4. AsyncOS does not support images over IPv6.


Related Topics

• Caveats for URLs and Logos in Notification Pages, page 17-11

End-User Acknowledgment PageYou can configure the Web Security appliance to inform users that it is filtering and monitoring their web activity. When configured, the appliance displays an end-user acknowledgment page for every user accessing the web using HTTP or HTTPS. It displays the end-user acknowledgment page when a user tries to access a website for the first time, or after a configured time interval.

The Web Proxy tracks users by username if authentication has made a username available. If no user name is available, you can choose how to track users, either by IP address or web browser session cookie.

Note Native FTP transactions are exempt from the end-user acknowledgment page.

FTP notification messages

Gives end users the reason a native FTP transaction was blocked.

Configuring FTP Notification Messages, page 17-9.

Time and Volume Quotas Expiry Warning Page

Notifies end users when their access is blocked because they have reached the configured data volume or time limit.

Configure these settings on the Security Services > End User Notification page, Time and Volume Quotas Expiry Warning Page section.

See also Time Ranges and Quotas, page 10-16.

Option Description Further information


Chapter 17 Notify End-Users of Proxy Actions End-User Acknowledgment Page

Access HTTPS and FTP Sites with the End-User Acknowledgment PageThe end-user acknowledgment page works because it displays an HTML page to the end user that forces them to click an acceptable use policy agreement. After users click the link, the Web Proxy redirects clients to the originally requested website. It keeps track of when users accepted the end-user acknowledgment page using a surrogate (either by IP address or web browser session cookie) if no username is available for the user.

• HTTPS. The Web Proxy tracks whether the user has acknowledged the end-user acknowledgment page with a cookie, but it cannot obtain the cookie unless it decrypts the transaction. You can choose to either bypass (pass through) or drop HTTPS requests when the end-user acknowledgment page is enabled and tracks users using session cookies. Do this using the advancedproxyconfig > EUN CLI command, and choose bypass for the “Action to be taken for HTTPS requests with Session based EUA (“bypass” or “drop”).” command.

• FTP over HTTP. Web browsers never send cookies for FTP over HTTP transactions, so the Web Proxy cannot obtain the cookie. To work around this, you can exempt FTP over HTTP transactions from requiring the end-user acknowledgment page. Do this by creating a custom URL category using “ftp://” as the regular expression (without the quotes) and defining and Identity policy that exempts users from the end-user acknowledgment page for this custom URL category.

About the End-user Acknowledgment Page• When a user is tracked by IP address, the appliance uses the shortest value for maximum time

interval and maximum IP address idle timeout to determine when to display the end-user acknowledgment page again.

• When a user is tracked using a session cookie, the Web Proxy displays the end-user acknowledgment page again if the user closes and then reopens their web browser or opens a second web browser application.

• Using a session cookie to track users when the client accesses HTTPS sites or FTP servers using FTP over HTTP does not work.

• When the appliance is deployed in explicit forward mode and a user goes to an HTTPS site, the end-user acknowledgment page includes only the domain name in the link that redirects the user to the originally requested URL. If the originally requested URL contains text after the domain name, that text is truncated.

• When the end-user acknowledgment page is displayed to a user, the access log entry for that transaction shows OTHER as the ACL decision tag. This is because the originally requested URL was blocked, and instead the user was shown the end-user acknowledgment page.

Configuring the End-User Acknowledgment PageYou can enable and configure the end-user acknowledgment page in the web interface or the command line interface. When you configure the end-user acknowledgment page in the web interface, you can include a custom message that appears on each page.

In the CLI, use advancedproxyconfig > eun.

Before You Begin

• To configure the display language and customize the displayed logo, see Configuring General Settings for Notification Pages, page 17-2.


Chapter 17 Notify End-Users of Proxy Actions End-User Acknowledgment Page

• If you will customize the message shown to end users, see Custom Messages on Notification Pages, page 17-10. If you require more customization than the Custom Message box allows, see Editing Notification Page HTML Files Directly, page 17-12.

Step 1 Security Services > End-User Notification.


Step 3 Enable the “Require end-user to click through acknowledgment page” field.

Step 4 Enter options:

Setting Description

Time Between Acknowledgements

The Time Between Acknowledgments determines how often the Web Proxy displays the end-user acknowledgment page for each user. This setting applies to users tracked by username and users tracked by IP address or session cookie. You can specify any value from 30 to 2678400 seconds (one month). Default is one day (86400 seconds).

When the Time Between Acknowledgments changes and is committed, the Web Proxy uses the new value even for users who have already acknowledged the Web Proxy.

Inactivity Timeout The Inactivity Timeout determines how long a user tracked and acknowledged by IP address or session cookie (unauthenticated users only) can be idle before the user is no longer considered to have agreed to the acceptable use policy. You can specify any value from 30 to 2678400 seconds (one month). Default is four hours (14400 seconds).


Chapter 17 Notify End-Users of Proxy Actions End-User Notification Pages

Step 5 (Optional) Click Preview Acknowledgment Page Customization to view the current end-user acknowledgment page in a separate browser window.

Note If the notification HTML files have been edited, this preview functionality is not available.


End-User Notification Pages When a policy blocks a user from a website, you can configure the appliance to notify the user why it blocked the URL request. There are several ways to achieve this:

Surrogate Type Determines which method the Web Proxy uses to track the user:

• IP Address. The Web Proxy allows the user at that IP address to use any web browser or non-browser HTTP process to access the web once the user clicks the link on the end-user acknowledgment page. Tracking the user by IP address allows the user to access the web until the Web Proxy displays a new end-user acknowledgment page due to inactivity or the configured time interval for new acknowledgments. Unlike tracking by a session cookie, tracking by IP address allows the user to open up multiple web browser applications and not have to agree to the end-user acknowledgment unless the configured time interval has expired.

Note When IP address is configured and the user is authenticated, the Web Proxy tracks users by username instead of IP address.

• Session Cookie. The Web Proxy sends the user’s web browser a cookie when the user clicks the link on the end-user acknowledgment page and uses the cookie to track their session. Users can continue to access the web using their web browser until the Time Between Acknowledgments value expires, they have been inactive longer than the allotted time, or they close their web browser.

If the user using a non-browser HTTP client application, they must be able to click the link on the end-user acknowledgment page to access the web. If the user opens a second web browser application, the user must go through the end-user acknowledgment process again in order for the Web Proxy to send a session cookie to the second web browser.

Note Using a session cookie to track users when the client accesses HTTPS sites or FTP servers using FTP over HTTP is not supported.

Custom message Customize the text that appears on every end-user acknowledgment page. You can include some simple HTML tags to format the text.

Note You can only include a custom message when you configure the end-user acknowledgment page in the web interface, versus the CLI.

See also Custom Messages on Notification Pages, page 17-10.

Setting Description



Configuring On-Box End-User Notification PagesOn-box pages are predefined, customizable notification pages residing on the appliance.

Before You Begin

• To configure the display language and customize the displayed logo, see Configuring General Settings for Notification Pages, page 17-2.

• If you will customize the message displayed using on-box notifications, review the topics under Custom Messages on Notification Pages, page 17-10. If you require more customization than the Custom Message box allows, see Editing Notification Page HTML Files Directly, page 17-12.



Step 3 From the Notification Type field, choose Use On Box End User Notification.

Step 4 Configure the on-box end-user notification page settings.

Step 5 (Optional) Click Preview Notification Page Customization link to view the current end-user notification page in a separate browser window.



To See

Display predefined, customizable pages that are hosted on the Web Security appliance.

Configuring On-Box End-User Notification Pages, page 17-6

Redirect the user to HTTP end-user notification pages at a specific URL.

Off-Box End-User Notification Pages, page 17-7

Setting Description

Custom Message Include any additional text required on each notification page. When you enter a custom message, AsyncOS places the message before the last sentence on the notification page which includes the contact information.

Contact Information Customize the contact information listed on each notification page.

AsyncOS displays the contact information sentence as the last sentence on a page, before providing notification codes that users can provide to the network administrator.

End-User Misclassification Reporting

When enabled, users can report misclassified URLs to Cisco. An additional button appears on the on-box end-user notification pages for sites blocked due to suspected malware or URL filters. This button allows the user to report when they believe the page has been misclassified. It does not appear for pages blocked due to other policy settings.



Off-Box End-User Notification Pages The Web Proxy can be configured to redirect all HTTP end-user notification pages to a specific URL that you specify.

Displaying the Correct Off-Box Page Based on the Reason for Blocking Access

By default, AsyncOS redirects all blocked websites to the URL regardless of the reason why it blocked the original page. However, AsyncOS also passes parameters as a query string appended to the redirect URL so you can ensure that the user sees a unique page explaining the reason for the block. For more information on the included parameters, see Off-Box End-User Notification Page Parameters, page 17-7.

When you want the user to view a different page for each reason for a blocked website, construct a CGI script on the web server that can parse the query string in the redirect URL. Then the server can perform a second redirect to an appropriate page.

URL Criteria for Off-Box Notification Pages

• You can use any HTTP or HTTPS URL.

• The URL may specify a specific port number.

• The URL may not have any arguments after the question mark.

• The URL must contain a well-formed hostname.

For example, if you have the following URL entered in the Redirect to Custom URL field:

http://www.example.com/eun.policy.html

And you have the following access log entry:

Then AsyncOS creates the following redirected URL:

Off-Box End-User Notification Page Parameters

AsyncOS passes the parameters to the web server as standard URL Parameters in the HTTP GET request. It uses the following format:

<notification_page_url>?param1=value1&param2=value2

1182468145.492 1 172.17.0.8 TCP_DENIED/403 3146 GET http://www.espn.com/index.html HTTP/1.1 - NONE/- - BLOCK_WEBCAT-DefaultGroup-DefaultGroup-NONE-NONE-DefaultRouting <IW_sprt,-,-,-,-,-,-,-,-,-,-,-,-,-,-,IW_sprt,-> -

http://www.example.com/eun.policy.html?Time=21/Jun/2007:23:22:25%20%2B0000&ID=0000000004&Client_IP=172.17.0.8&User=-&Site=www.espn.com&URI=index.html&Status_Code=403&Decision_Tag=BLOCK_WEBCAT-DefaultGroup-DefaultGroup-NONE-NONE-DefaultRouting&URL_Cat=Sports%20and%20Recreation&WBRS=-&DVS_Verdict=-&DVS_ThreatName=-&Reauth_URL=-



The table describes the parameters AsyncOS includes in the query string.

Note AsyncOS always includes all parameters in each redirected URL. If no value exists for a particular parameter, AsyncOS passes a hyphen (-).

Redirecting End-User Notification Pages to a Custom URL (Off-Box)



Step 3 In the End-User Notification Pages section, choose Redirect to Custom URL.

Parameter Name Description

Time Date and time of the transaction.

ID Transaction ID.

Client_IP IP address of the client.

User Username of the client making the request, if available.

Site Hostname of the destination in the HTTP request.

URI URL path specified in the HTTP request.

Status_Code HTTP status code for the request.

Decision_Tag ACL decision tag as defined in the Access log entry that indicates how the DVS engine handled the transaction.

URL_Cat URL category that the URL filtering engine assigned to the transaction request.

Note: AsyncOS for Web sends the entire URL category name for both predefined and user defined URL categories. It performs URL encoding on the category name, so spaces are written as “%20”.

WBRS WBRS score that the Web Reputation Filters assigned to the URL in the request.

DVS_Verdict Malware category that the DVS engine assigns to the transaction.

DVS_ThreatName The name of the malware found by the DVS engine.

Reauth_URL A URL that users can click to authenticate again if the user is blocked from a website due to a restrictive URL filtering policy. Use this parameter when the “Enable Re-Authentication Prompt If End User Blocked by URL Category or User Session Restriction” global authentication setting is enabled and the user is blocked from a website due to a blocked URL category.

To use this parameter, make sure the CGI script performs the following steps:

1. Get the value of Reauth_Url parameter.

2. URL-decode the value.

3. Base64 decode the value and get the actual re-authentication URL.

4. Include the decoded URL on the end-user notification page in some way, either as a link or button, along with instructions for users informing them they can click the link and enter new authentication credentials that allow greater access.


Chapter 17 Notify End-Users of Proxy Actions Configuring the End-User URL Filtering Warning Page

Step 4 In the Notification Page URL field, enter the URL to which you want to redirect blocked websites.

Step 5 (Optional) Click Preview Custom URL link.


Configuring the End-User URL Filtering Warning PageAn end-user URL filtering warning page is displayed when a user first accesses a website in a particular URL category after a certain period of time. You can also configure the warning page when a user accesses adult content when the site content ratings feature is enabled.

Before You Begin

If you will customize the message displayed using on-box notifications, review the topics under Custom Messages on Notification Pages, page 17-10. If you require more customization than the Custom Message box allows, see Editing Notification Page HTML Files Directly, page 17-12.



Step 3 Scroll down to the End-User URL Filtering Warning Page section.

Step 4 In the Time Between Warning field, enter the time interval the Web Proxy uses between displaying the end-user URL filtering warning page for each URL category per user.

You can specify any value from 30 to 2678400 seconds (one month). Default is 1 hour (3600 seconds). You can enter the value in seconds, minutes, or days. Use ‘s’ for seconds, ‘m’ for minutes, and ‘d’ for days.

Step 5 In the Custom Message field, enter text you want to appear on every end-user URL filtering warning page.

Step 6 (Optional) Click Preview URL Category Warning Page Customization to view the current end-user URL filtering warning page in a separate browser window.



Configuring FTP Notification MessagesThe FTP Proxy displays a predefined, customizable notification message to native FTP clients when the FTP Proxy cannot establish a connection with the FTP server for any reason, such as an error with FTP Proxy authentication or a bad reputation for the server domain name. The notification is specific to the reason the connection was blocked.


Chapter 17 Notify End-Users of Proxy Actions Custom Messages on Notification Pages

Before You Begin

If you will customize the message displayed using on-box notifications, review the topics under Custom Messages on Notification Pages, page 17-10. If you require more customization than the Custom Message box allows, see Editing Notification Page HTML Files Directly, page 17-12.



Step 3 Scroll down to the Native FTP section.

Step 4 In the Language field, select the language to use when displaying native FTP notification messages.

Step 5 In the Custom Message field, enter the text you want to display in every native FTP notification message.


Custom Messages on Notification PagesThe following sections apply to text entered into the “Custom Message” box for any notification type configured on the Edit End User Notification page.

• Supported HTML Tags in Custom Messages on Notification Pages, page 17-10

• Caveats for URLs and Logos in Notification Pages, page 17-11

Supported HTML Tags in Custom Messages on Notification PagesYou can use HTML tags to format the text in any notification on the Edit End User Notification page that offers a “Custom Message” box. Tags must be in lower case and follow standard HTML syntax (closing tags, etc.)

You can use the following HTML tags.

• <a></a>

• <span></span>

• <b></b>

• <big></big>

• <br>

• <code></code>

• <em></em>

• <i></i>

• <small></small>

• <strong></strong>

For example, you can make some text italic:

Please acknowledge the following statements <i>before</i> accessing the Internet.

With the <span> tag, you can use any CSS style to format text. For example, you can make some text red:


Chapter 17 Notify End-Users of Proxy Actions Custom Messages on Notification Pages

<span style=”color: red”>Warning:</span> You must acknowledge the following statements

<i>before</i> accessing the Internet.

Note If you need greater flexibility or wish to add JavaScript to your notification pages, you must edit the HTML notification files directly. JavaScript entered into the Custom Message box for notifications in the web user interface will be stripped out. See Editing Notification Page HTML Files Directly, page 17-12.

Caveats for URLs and Logos in Notification Pages This section applies if you will make any of the following customizations:

• Enter text into the “Custom Message” box for any notification on the Edit End User Notification page

• Directly edit HTML files for on-box notifications

• Use a custom logo

All combinations of URL paths and domain names in embedded links within custom text, and the custom logo, are exempted from the following for on-box notifications:

• User authentication

• End-user acknowledgment

• All scanning, such as malware scanning and web reputation scoring

For example, if the following URLs are embedded in custom text:

http://www.example.com/index.html

http://www.mycompany.com/logo.jpg

Then all of the following URLs will also be treated as exempt from all scanning:

http://www.example.com/index.html

http://www.mycompany.com/logo.jpg

http://www.example.com/logo.jpg

http://www.mycompany.com/index.html

Also, where an embedded URL is of the form: <protocol>://<domain-name>/<directory path>/ then all sub-files and sub-directories under that directory path on the host will also be exempted from all scanning.

For example, if the following URL is embedded: http://www.example.com/gallery2/ URLs such as http://www.example.com/gallery2/main.php will also be treated as exempt.

This allows you to create a more sophisticated page with embedded content so long as the embedded content is relative to the initial URL. However, you should also take care when deciding which paths to include as links and custom logos.


Chapter 17 Notify End-Users of Proxy Actions Editing Notification Page HTML Files Directly

Editing Notification Page HTML Files Directly Each notification page is stored on the Web Security appliance as an HTML file. If you require more customization than the “Custom Message” box in the web-based interface allows, you can directly edit these HTML files. For example, you can include standard JavaScript or edit the overall look and feel of each page.

Information in the following sections applies to any type of end-user notification HTML file on the appliance, including End-User Acknowledgment pages.

Requirements for Editing Notification HTML Files Directly • Each notification page file must be a valid HTML file. For a list of HTML tags you can include, see

Supported HTML Tags in Custom Messages on Notification Pages, page 17-10.

• The customized notification page file names must exactly match the file names shipped with the Web Security appliance.

If the configuration\eun directory does not contain a particular file with the required name, then the appliance displays the standard on-box end-user notification page.

• Do not include any links to URLs in the HTML files. Any link included in the notification pages are subject to the access control rules defined in the Access Policies and users might end up in a recursive loop.

• Test your HTML files in supported client browsers to ensure that they behave as expected, especially if they include JavaScript.

• For your customized pages to take effect, you must enable the customized files using the advancedproxyconfig > EUN > Refresh EUN Pages CLI command.

Editing Notification HTML Files Directly

Before You Begin

• Understand the requirements in Requirements for Editing Notification HTML Files Directly, page 17-12.

• See Variables for Customizing Notification HTML Files and Using Variables in Notification HTML Files, page 17-13.

Step 1 Use an FTP client to connect to the Web Security appliance.

Step 2 Navigate to the configuration\eun directory.

Step 3 Download the language directory files for the notification pages you want to edit.

Step 4 On your local machine, use a text or HTML editor to edit the HTML files.

Step 5 Use the FTP client to upload the customized HTML files to the same directory from which you downloaded them in step 3.

Step 6 Open an SSH client and connect to the Web Security appliance.

Step 7 Run the advancedproxyconfig > EUN CLI command.

Step 8 Type 2 to use the custom end-user notification pages.



Step 9 If the custom end-user notification pages option is currently enabled when you update the HTML files, type 1 to refresh the custom end-user notification pages.

If you do not do this, the new files do not take effect until the Web Proxy restarts.

Step 10 Commit your change.

Step 11 Close the SSH client.

Using Variables in Notification HTML Files When editing notification HTML files, you can include conditional variables to create if-then statements to take different actions depending on the current state.

The table describes the different conditional variable formats.

For example, the following text is some HTML code that uses %R as a conditional variable to check if re-authentication is offered, and uses %r as a regular variable to provide the re-authentication URL.

Any variable included in Variables for Customizing Notification HTML Files can be used as a conditional variable. However, the best variables to use in conditional statements are the ones that relate to the client request instead of the server response, and the variables that may or may not evaluate to TRUE instead of the variables that always evaluate to TRUE.

Variables for Customizing Notification HTML Files You can use variables in the notification HTML files to display specific information to the user. You can also turn each variable into a conditional variable to create if-then statements. For more information, see Using Variables in Notification HTML Files, page 17-13.

Conditional Variable Format Description

%?V This conditional variable evaluates to TRUE if the output of variable %V is not empty.

%!V Represents the following condition:

else

Use this with the %?V conditional variable.

%#V Represents the following condition:

endif

Use this with the %?V conditional variable.

%?R<div align="left">

<form name="ReauthInput" action="%r" method="GET"><input name="Reauth" type="button" OnClick="document.location='%r'"

id="Reauth" value="Login as different user..."></form>

</div>%#R



Variable Description

Always Evaluates to TRUE if Used as Conditional Variable

%a Authentication realm for FTP No

%A ARP address Yes

%b User-agent name No

%B Blocking reason, such as BLOCK-SRC or BLOCK-TYPE No

%c Error page contact person Yes

%C Entire Set-Cookie: header line, or empty string No

%d Client IP address Yes

%D User name No

%e Error page email address Yes

%E The error page logo URL No

%f User feedback section No

%F The URL for user feedback No

%g The web category name, if available Yes

%G Maximum file size allowed in MB No

%h The hostname of the proxy Yes

%H The server name of the URL Yes

%i Transaction ID as a hexadecimal number Yes

%I Management IP Address Yes

%j URL category warning page custom text No

%k Redirection link for the end-user acknowledgment page and end-user URL filtering warning page

No

%K Response file type No

%l WWW-Authenticate: header line No

%L Proxy-Authenticate: header line No

%M The Method of the request, such as “GET” or “POST” Yes

%n Malware category name, if available No

%N Malware threat name, if available No

%o Web reputation threat type, if available No

%O Web reputation threat reason, if available No

%p String for the Proxy-Connection HTTP header Yes

%P Protocol Yes

%q Identity policy group name Yes

%Q Policy group name for non-Identity polices Yes

%r Redirect URL No


Chapter 17 Notify End-Users of Proxy Actions Notification Page Types

Notification Page TypesBy default, the Web Proxy displays a notification page informing users they were blocked and the reason for the block.

Most notification pages display a different set of codes that may help administrators or Cisco Customer Support troubleshoot any potential problem. Some codes are for Cisco internal use only. The different codes that might appear in the notification pages are the same as the variables you can include in customized notification pages, as shown in Variables for Customizing Notification HTML Files.

The table describes the different notification pages users might encounter.

%R Re-authentication is offered. This variable outputs an empty string when false and a space when true, so it is not useful to use it alone. Instead, use it as condition variable.

No

%S The signature of the proxy No, always evaluates to FALSE

%t Timestamp in Unix seconds plus milliseconds Yes

%T The date Yes

%u The URI part of the URL (the URL excluding the server name) Yes

%U The full URL of the request Yes

%v HTTP protocol version Yes

%W Management WebUI port Yes

%X Extended blocking code. This is a 16-byte base64 value that encodes the most of the web reputation and anti-malware information logged in the access log, such as the ACL decision tag and WBRS score.

Yes

%Y Administrator custom text string, if set, else empty No

%y End-user acknowledgment page custom text Yes

%z Web reputation score Yes

%Z DLP meta data Yes

%% Prints the percent symbol (%) in the notification page N/A

Variable Description

Always Evaluates to TRUE if Used as Conditional Variable

File Name andNotification Title Notification Description Notification Text

ERR_ACCEPTED

Feedback Accepted,Thank You

Notification page that is displayed after the users uses the “Report Misclassification” option.

The misclassification report has been sent. Thank you for your feedback.

ERR_ADAPTIVE_SECURITY

Policy: General

Block page that is displayed when the user is blocked due to the Adaptive Scanning feature.

Based on your organization’s security policies, this web site <URL> has been blocked because its content has been determined to be a security risk.



ERR_ADULT_CONTENT

Policy Acknowledgment

The warning page that is displayed when the end-user accesses a page that is classified as adult content. Users can click an acknowledgment link to continue to the originally requested site.

You are trying to visit a web page whose content are rated as explicit or adult. By clicking the link below, you acknowledge that you have read and agree with the organization's policies that govern the usage of the Internet for this type of content. Data about your browsing behavior may be monitored and recorded. You will be periodically asked to acknowledge this statement for continued access to this kind of web page.

Click here to accept this statement and access the Internet.

ERR_AVC

Policy: Application Controls

Block page that is displayed when the user is blocked due to the Application Visibility and Control engine.

Based on your organization’s access policies, access to application %1 of type %2 has been blocked.

ERR_BAD_REQUEST

Bad Request

Error page that results from an invalid transaction request.

The system cannot process this request. A non-standard browser may have generated an invalid HTTP request.

If you are using a standard browser, please retry the request.

ERR_BLOCK_DEST

Policy: Destination

Block page that is displayed when the user tries to access a blocked website address.

Based on your organization’s Access Policies, access to this web site <URL> has been blocked.

ERR_BROWSER

Security: Browser

Block page that is displayed when the transaction request comes from an application that has been identified to be compromised by malware or spyware.

Based on your organization’s Access Policies, requests from your computer have been blocked because it has been determined to be a security threat to the organization’s network. Your browser may have been compromised by a malware/spyware agent identified as “<malware name>”.

Please contact <contact name> <email address> and provide the codes shown below.

If you are using a non-standard browser and believe it has been misclassified, use the button below to report this misclassification.

ERR_BROWSER_CUSTOM

Policy: Browser

Block page that is displayed when the transaction request comes from a blocked user agent.

Based on your organization’s Access Policies, requests from your browser have been blocked. This browser “<browser type>” is not permitted due to potential security risks.

ERR_CERT_INVALID

Invalid Certificate

Block page that is displayed when the requested HTTPS site uses an invalid certificate.

A secure session cannot be established because the site <hostname> provided an invalid certificate.




ERR_CONTINUE_UNACKNOWLEDGED


Warning page that is displayed when the user requests a site that is in a custom URL category that is assigned the Warn action. Users can click an acknowledgment link to continue to the originally requested site.

You are trying to visit a web page that falls under the URL Category <URL category>. By clicking the link below, you acknowledge that you have read and agree with the organization’s policies that govern the usage of the Internet for this type of content. Data about your browsing behavior may be monitored and recorded. You will be periodically asked to acknowledge this statement for continued access to this kind of web page.


ERR_DNS_FAIL

DNS Failure

Error page that is displayed when the requested URL contains an invalid domain name.

The hostname resolution (DNS lookup) for this hostname <hostname> has failed. The Internet address may be misspelled or obsolete, the host <hostname> may be temporarily unavailable, or the DNS server may be unresponsive.

Please check the spelling of the Internet address entered. If it is correct, try this request later.

ERR_EXPECTATION_FAILED

Expectation Failed

Error page that is displayed when the transaction request triggers the HTTP 417 “Expectation Failed” response.

The system cannot process the request for this site <URL>. A non-standard browser may have generated an invalid HTTP request.

If using a standard browser, please retry the request.

ERR_FILE_SIZE

Policy: File Size

Block page that is displayed when the requested file is larger than the allowed maximum file size.

Based on your organization’s Access Policies, access to this web site or download <URL> has been blocked because the download size exceeds the allowed limit.

ERR_FILE_TYPE

Policy: File Type

Block page that is displayed when the requested file is a blocked file type.

Based on your organization’s Access Policies, access to this web site or download <URL> has been blocked because the file type “<file type>” is not allowed.

ERR_FILTER_FAILURE

Filter Failure

Error page that is displayed when the URL filtering engine is temporarily unable to deliver a URL filtering response and the “Default Action for Unreachable Service” option is set to Block.

The request for page <URL> has been denied because an internal server is currently unreachable or overloaded.

Please retry the request later.

ERR_FOUND

Found

Internal redirection page for some errors. The page <URL> is being redirected to <redirected URL>.

ERR_FTP_ABORTED

FTP Aborted

Error page that is displayed when the FTP over HTTP transaction request triggers the HTTP 416 “Requested Range Not Satisfiable” response.

The request for the file <URL> did not succeed. The FTP server <hostname> unexpectedly terminated the connection.

Please retry the request later.




ERR_FTP_AUTH_REQUIRED

FTP Authorization Required

Error page that is displayed when the FTP over HTTP transaction request triggers the FTP 530 “Not Logged In” response.

Authentication is required by the FTP server <hostname>. A valid user ID and passphrase must be entered when prompted.

In some cases, the FTP server may limit the number of anonymous connections. If you usually connect to this server as an anonymous user, please try again later.

ERR_FTP_CONNECTION_FAILED

FTP Connection Failed

Error page that is displayed when the FTP over HTTP transaction request triggers the FTP 425 “Can’t open data connection” response.

The system cannot communicate with the FTP server <hostname>. The FTP server may be temporarily or permanently down, or may be unreachable because of network problems.

Please check the spelling of the address entered. If it is correct, try this request later.

ERR_FTP_FORBIDDEN

FTP Forbidden

Error page that is displayed when the FTP over HTTP transaction request is for an object the user is not allowed to access.

Access was denied by the FTP server <hostname>. Your user ID does not have permission to access this document.

ERR_FTP_NOT_FOUND

FTP Not Found

Error page that is displayed when the FTP over HTTP transaction request is for an object that does not exist on the server.

The file <URL> could not be found. The address is either incorrect or obsolete.

ERR_FTP_SERVER_ERR

FTP Server Error

Error page that is displayed for FTP over HTTP transactions that try to access a server that does support FTP. The server usually returns the HTTP 501 “Not Implemented” response.

The system cannot communicate with the FTP server <hostname>. The FTP server may be temporarily or permanently down, or may not provide this service.

Please confirm that this is a valid address. If it is correct, try this request later.

ERR_FTP_SERVICE_UNAVAIL

FTP Service Unavailable

Error page that is displayed for FTP over HTTP transactions that try to access an FTP server that is unavailable.

The system cannot communicate with the FTP server <hostname>. The FTP server may be busy, may be permanently down, or may not provide this service.

Please confirm that this is a valid address. If it is correct, try this request later.

ERR_GATEWAY_TIMEOUT

Gateway Timeout

Error page that is displayed when the requested server has not responded in a timely manner.

The system cannot communicate with the external server <hostname>. The Internet server may be busy, may be permanently down, or may be unreachable because of network problems.

Please check the spelling of the Internet address entered. If it is correct, try this request later.

ERR_IDS_ACCESS_FORBIDDEN

IDS Access Forbidden

Block page that is displayed when the user tries to upload a file that is blocked due to a configured Cisco Data Security Policy.

Based on your organization’s data transfer policies, your upload request has been blocked. File details:

<file details>




ERR_INTERNAL_ERROR

Internal Error

Error page that is displayed when there is an internal error.

Internal system error when processing the request for the page <URL>.

Please retry this request.

If this condition persists, please contact <contact name> <email address> and provide the code shown below.

ERR_MALWARE_SPECIFIC

Security: Malware Detected

Block page that is displayed when malware is detected when downloading a file.

Based on your organization’s Access Policies, this web site <URL> has been blocked because it has been determined to be a security threat to your computer or the organization’s network.

Malware <malware name> in the category <malware category> has been found on this site.

ERR_MALWARE_SPECIFIC_OUTGOING

Security: Malware Detected

Block page that is displayed when malware is detected when uploading a file.

Based on your organization’s policy, the upload of the file to URL (<URL>) has been blocked because the file was detected to contain malware that will be harmful to the receiving end's network security.

Malware Name: <malware name>

Malware Category: <malware category>

ERR_NATIVE_FTP_DENIED

Block message displayed in native FTP clients when the native FTP transaction is blocked.

530 Login denied

ERR_NO_MORE_FORWARDS

No More Forwards

Error page that is displayed when the appliance has detected a forward loop between the Web Proxy and another proxy server on the network. The Web Proxy breaks the loop and displays this message to the client.

The request for the page <URL> failed.

The server address <hostname> may be invalid, or you may need to specify a port number to access this server.

ERR_POLICY

Policy: General

Block page that is displayed when the request is blocked by any policy setting.

Based on your organization’s Access Policies, access to this web site <URL> has been blocked.

ERR_PROTOCOL

Policy: Protocol

Block page that is displayed when the request is blocked based on the protocol used.

Based on your organization’s Access Policies, this request has been blocked because the data transfer protocol “<protocol type>” is not allowed.

ERR_PROXY_AUTH_REQUIRED

Proxy Authorization Required

Notification page that is displayed when users must enter their authentication credentials to continue. This is used for explicit transaction requests.

Authentication is required to access the Internet using this system. A valid user ID and passphrase must be entered when prompted.




ERR_PROXY_PREVENT_MULTIPLE_LOGIN

Already Logged In From Another Machine

Block page that is displayed when someone tries to access the web using the same username that is already authenticated with the Web Proxy on a different machine. This is used when the User Session Restrictions global authentication option is enabled.

Based on your organization’s policies, the request to access the Internet was denied because this user ID has an active session from another IP address.

If you want to login as a different user, click on the button below and enter a different a user name and passphrase.

ERR_PROXY_REDIRECT

Redirect

Redirection page. This request is being redirected. If this page does not automatically redirect, click here to proceed.

ERR_PROXY_UNACKNOWLEDGED


End-user acknowledgment page.

For more information, see End-User Notification Pages, page 17-5.

Please acknowledge the following statements before accessing the Internet.

Your web transactions will be automatically monitored and processed to detect dangerous content and to enforce organization’s policies. By clicking the link below, you acknowledge this monitoring and accept that data about the sites you visit may be recorded. You will be periodically asked to acknowledge the presence of the monitoring system. You are responsible for following organization’s polices on Internet access.


ERR_PROXY_UNLICENSED

Proxy Not Licensed

Block page that is displayed when there is no valid license key for the Web Security appliance Web Proxy.

Internet access is not available without proper licensing of the security device.

Please contact <contact name> <email address> and provide the code shown below.

Note To access the management interface of the security device, enter the configured IP address with port.

ERR_RANGE_NOT_SATISFIABLE

Range Not Satisfiable

Error page that is displayed when the requested range of bytes cannot be satisfied by the web server.

The system cannot process this request. A non-standard browser may have generated an invalid HTTP request.

If you are using a standard browser, please retry the request.

ERR_REDIRECT_PERMANENT

Redirect Permanent

Internal redirection page. The page <URL> is being redirected to <redirected URL>.

ERR_REDIRECT_REPEAT_REQUEST

Redirect

Internal redirection page. Please repeat your request.




ERR_SAAS_AUTHENTICATION

Policy: Access Denied

Notification page that is displayed when users must enter their authentication credentials to continue. This is used for accessing applications.

Based on your organization’s policy, the request to access <URL> was redirected to a page where you must enter the login credentials. You will be allowed to access the application if authentication succeeds and you have the proper privileges.

ERR_SAAS_AUTHORIZATION


Block page that is displayed when users try to access a application that they have no privilege to access.

Based on your organization’s policy, the access to the application <URL> is blocked because you are not an authorized user. If you want to login as a different user, enter a different username and passphrase for a user that is authorized to access this application.

ERR_SAML_PROCESSING


Error page that is displayed when an internal process fails trying to process the single sign-on URL for accessing a application.

The request to access <user name> did not go through because errors were found during the process of the single sign on request.

ERR_SERVER_NAME_EXPANSION

Server Name Expansion

Internal redirection page that automatically expands the URL and redirects users to the updated URL.

The server name <hostname> appears to be an abbreviation, and is being redirected to <redirected URL>.

ERR_URI_TOO_LONG

URI Too Long

Block page that is displayed when the URL length is too long.

The requested URL was too long and could not be processed. This may represent an attack on your network.

Please contact <contact name> <email address> and provide the code shown below.

ERR_WBRS

Security: Malware Risk

Block page that is displayed when the Web Reputation Filters block the site due to a low web reputation score.

Based on your organization’s access policies, this web site <URL> has been blocked because it has been determined by Web Reputation Filters to be a security threat to your computer or the organization’s network. This web site has been associated with malware/spyware.

Threat Type: %o

Threat Reason: %O

ERR_WEBCAT

Policy: URL Filtering

Block page that is displayed when users try to access a website in a blocked URL category.

Based on your organization’s Access Policies, access to this web site <URL> has been blocked because the web category “<category type>” is not allowed.

ERR_WWW_AUTH_REQUIRED

WWW Authorization Required

Notification page that is displayed when the requested server requires users to enter their credentials to continue.

Authentication is required to access the requested web site <hostname>. A valid user ID and passphrase must be entered when prompted.




C H A P T E R


18Generate Reports to Monitor End-user Activity

• Overview of Reporting, page 18-1

• Using the Reporting Pages, page 18-2

• Enabling Centralized Reporting, page 18-6

• Scheduling Reports, page 18-7

• Generating Reports On Demand, page 18-8

• Archived Reports, page 18-9

Overview of Reporting The Web Security appliance generates high-level reports, allowing you to understand what is happening on the network and also allowing you to view traffic details for a particular domain, user, or category. You can run reports to view an interactive display of system activity over a specific period of time, or you can schedule reports and run them at regular intervals.

Related Topics

• Printing and Exporting Reports from Report Pages, page 18-5

Working with Usernames in ReportsWhen you enable authentication, reports list users by their usernames when they authenticate with the Web Proxy. By default, usernames are written as they appear in the authentication server. However, you can choose to make usernames unrecognizable in all reports.

Note Administrators always see usernames in reports.

Step 1 Choose Security Services > Reporting, and click Edit Settings.

Step 2 Under Local Reporting, select Anonymize usernames in reports.



Chapter 18 Generate Reports to Monitor End-user Activity Using the Reporting Pages

Report PagesThe Web Security appliance offers the following reports:

• My Dashboard (the reporting “homepage”; can also be accessed by clicking the Home icon in the left edge of the menu bar)

• Overview

• Users

• Web Sites

• URL Categories

• Application Visibility

• Anti-Malware

• Advanced Malware Protection

• File Analysis

• AMP Verdict Updates

• Client Malware Risk

• Web Reputation Filters

• L4 Traffic Monitor

• SOCKS Proxy

• Reports by User Location

• Web Tracking

• System Capacity

• System Status

• Scheduled Reports

• Archived Reports

Using the Reporting PagesThe various report pages provide an overview of system activity and support multiple options for viewing the system data. You can also search each page for Website and client-specific data.

You can perform the following tasks on most report pages:

Option Link to Task

Change the time range displayed by a report Changing the Time Range, page 18-3

Search for specific clients and domains Searching Data, page 18-3

Choose which data to display in charts Choosing Which Data to Chart, page 18-4

Export reports to external files Printing and Exporting Reports from Report Pages, page 18-5



Changing the Time RangeYou can update the data displayed for each security component using the Time Range field. This option allows you to generate updates for predefined time ranges and it allows you to define custom time ranges from a specific start time to a specific end time.

Note The time range you select is used throughout all of the report pages until you select a different value in the Time Range menu.

Note All reports display date and time information based on the system’s configured time zone, shown as a Greenwich Mean Time (GMT) offset. However, data exports display the time in GMT only to accommodate multiple systems in multiple time zones around the world.

Searching DataSome reports include a field you can use to search for particular data points. When you search for data, the report refines the report data for the particular data set you are searching. You can search for values that exactly match of the string you enter, or for values that start with the string you enter. The following report pages include search fields:

Note You need to configure Authentication to view client user IDs as well as client IP addresses.

Time Range Data is returned in...

Hour Sixty complete minutes plus up to 5 additional minutes.

Day One-hour intervals for the last 24 hours and including the current partial hour.

Week On- day intervals for the last 7 days plus the current partial day.

Month (30 days) One-day intervals for the last 30 days plus the current partial day.

Yesterday The last 24 hours (00:00 to 23:59) using the time zone defined on the Web Security appliance.

Custom Range The custom time range you defined.

When you choose Custom Range, a dialog box appears to let you enter start and end times.

Search Fields Description

Users Search for a user by user name or client IP address.

Web Sites Search for a server by domain or server IP address.

URL Categories Search for a URL category.

Application Visibility Search for an application name that the AVC engine monitors and blocks.

Client Malware Risk Search for a user by user name or client IP address.



Choosing Which Data to Chart The default charts on each Web Reporting page display commonly referenced data, but you can choose to chart different data instead. If a page has multiple charts, you can change each chart. The chart options are the same as the columns headings of the table(s) in the report.

Step 1 Click the Chart Options link below a chart.

Step 2 Choose the data to display.

Step 3 Click Done.

Custom Reports You can create a custom report page by assembling charts (graphs) and tables from existing report pages.

Modules That Cannot Be Added to Custom Reports

• Search results, including Web Tracking search results

To Do This

Add modules to your custom report page

See:

• Modules That Cannot Be Added to Custom Reports, page 18-4.

• Creating Your Custom Report Page, page 18-5

View your custom report page

1. Choose Reporting > My Reports.

2. Select the time range to view. The time range selected applies to all reports, including all modules on the My Reports page.

Newly-added modules appear at the top of the relevant section.

Rearrange modules on your custom report page

Drag and drop modules into the desired location.

Delete modules from your custom report page

Click the [X] in the top right corner of the module.

Generate a PDF or CSV version of your custom report

Select Reporting > Archived Reports and click Generate Report Now.

Periodically generate a PDF or CSV version of your custom report

Select Reporting > Scheduled Reports.



Creating Your Custom Report Page

Before You Begin

• Ensure that the modules that you want to add can be added. See Modules That Cannot Be Added to Custom Reports, page 18-4.

• Delete any default modules that you do not need by clicking the [X] in the top right corner of those module.

Step 1 Use one of the following methods to add a module to your custom report page:

Note Some modules are available only using one of these methods. If you cannot add a module using one method, try another method.

• Navigate to the report page that has the module you want to add, then click the [+] button at the top of the module.

• Go to Reporting > My Reports, click the [+] button at the top of one of the sections, then select the report module that you want to add. You may need to click the [+] button in each section on the My Reports page in order to find the module that you are looking for.

You can add each module only once; if you have already added a particular module to your report, the option to add it will not be available.

Step 2 If you add a module that you have customized (for example, by adding, deleting, or reordering columns, or by displaying non-default data in the chart), customize the modules on the My Reports page.

Modules are added with default settings. Time range of the original module is not maintained.

Step 3 If you add a chart that includes a separate legend (for example, a graph from the Overview page), add the legend separately. If necessary, drag and drop it into position beside the data it describes.

Subdomains vs. Second-level Domains in Reporting and TrackingIn reporting and tracking searches, second-level domains (regional domains listed at http://george.surbl.org/two-level-tlds) are treated differently from subdomains, although the two domain types may appear to be the same. For example:

• Reports will not include results for a two-level domain such as co.uk, but will include results for foo.co.uk. Reports include subdomains under the main corporate domain, such as cisco.com.

• Tracking search results for the regional domain co.uk will not include domains such as foo.co.uk, while search results for cisco.com will include subdomains such as subdomain.cisco.com.

Printing and Exporting Reports from Report PagesYou can generate a printer-formatted PDF version of any report page by clicking the Printable (PDF) link at the top-right corner of the page. You can also export raw data as a comma-separated value (CSV) file by clicking the Export link.

Because CSV exports include only raw data, exported data from a Web-based report page may not include calculated data such as percentages, even if that data appears in the Web-based report.

http://george.surbl.org/two-level-tlds


Chapter 18 Generate Reports to Monitor End-user Activity Enabling Centralized Reporting

Exporting Report Data

Most reports include an Export link that allows you to export raw data to a comma-separated values (CSV) file. After exporting the data to a CSV file, you can access and manipulate the data in it using applications such as Microsoft Excel.

The exported CSV data displays all message tracking and reporting data in Greenwich Mean Time (GMT) regardless of the time zone set on the Web Security appliance. The purpose of the GMT time conversion is to allow data to be used independently from the appliance, or when referencing data from appliances in multiple time zones.

The following example is an entry from a raw data export of the Anti-Malware category report, where Pacific Daylight Time (PDT) is displayed as GMT 07:00 hours:

Begin Timestamp, End Timestamp, Begin Date, End Date, Name, Transactions Monitored, Transactions Blocked, Transactions Detected

1159772400.0, 1159858799.0, 2006-10-02 07:00 GMT, 2006-10-03 06:59 GMT, Adware, 525, 2100, 2625

Note Category headers are different for each type of report.

Note If you export localized CSV data, the headings may not be rendered properly in some browsers. This occurs because some browsers may not use the proper character set for the localized text. To work around this problem, you can save the file to your local machine, and open the file in any Web browser using File > Open. When you open the file, select the character set to display the localized text.

Enabling Centralized ReportingIf your organization has multiple Web Security appliances and uses a Cisco Content Security Management Appliance to manage and view aggregated report data, you must enable centralized reporting on each Web Security appliance.

Category Header Value Description

Begin Timestamp 1159772400.0 Query start time in number of seconds from epoch.

End Timestamp 1159858799.0 Query end time in number of seconds from epoch.

Begin Date 2006-10-02 07:00 GMT Date the query began.

End Date 2006-10-03 06:59 GMT Date the query ended.

Name Adware Name of the malware category.

Transactions Monitored 525 Number of transactions monitored.

Transactions Blocked 2100 Number of transactions blocked.

Transactions Detected 2625 Total number of transactions = (Number of transactions detected) + (Number of transactions blocked).


Chapter 18 Generate Reports to Monitor End-user Activity Scheduling Reports

Note The Web Security appliance only stores all its collected data for local reporting. If Centralized Reporting is enabled on the appliance, then the Web Security appliance retains only System Capacity and System Status data, and those are the only reports available on the Web Security appliance.

Step 1 Choose Security Services > Reporting and click Edit Settings.

Step 2 Select Centralized Reporting.


What To Do Next

See the chapter “Using Centralized Web Reporting and Tracking” in your Cisco Content Security Management Appliance user guide for information about configuring this feature on the management appliance.

Scheduling ReportsYou can schedule reports to run on a daily, weekly, or monthly basis. Scheduled reports can be configured to include data for the previous day, previous seven days, or previous month.

You can schedule reports for the following types of reports:

• Overview

• Users

• Web Sites

• URL Categories

• Application Visibility

• Anti-Malware

• Advanced Malware Protection

• Advanced Malware Protection Verdict Updates

• Client Malware Risk

• Web Reputation Filters


• SOCKS Proxy

• Reports by User Location

• System Capacity

• My Dashboard

Adding a Scheduled Report

Step 1 Choose Reporting > Scheduled Reports and click Add Scheduled Report.


Chapter 18 Generate Reports to Monitor End-user Activity Generating Reports On Demand

Step 2 Choose a report Type.

Step 3 Enter a descriptive Title for the report.

Avoid creating multiple reports with the same name.

Step 4 Choose a time range for the data included in the report.

Step 5 Select the Format for the generated report.

The default format is PDF. Most reports also allow you to save raw data as a CSV file.

Step 6 Depending on the type of report you configure, you can specify different report options, such as the number of rows to include and by which column to sort the data. Configure these options as necessary.

Step 7 In the Schedule section, choose whether to run the report daily, weekly, or monthly, and at what time.

Step 8 In the Email to field, enter the email address(es) to which the generated report is to be sent.

If you do not specify an email address, the report is simply archived.

Step 9 Choose a Report Language for the data.


Editing Scheduled Reports

Step 1 Choose Reporting > Scheduled Reports.

Step 2 Select the report title from the list.

Step 3 Modify settings.


Deleting Scheduled Reports

Step 1 Choose Reporting > Scheduled Reports.

Step 2 Select the check boxes corresponding to the reports that you want to delete.

Step 3 To remove all scheduled reports, select the All check box.

Step 4 Delete and Commit Changes.

Note Archived versions of deleted reports are not deleted.

Generating Reports On Demand

Step 1 Choose Reporting > Archived Reports.


Chapter 18 Generate Reports to Monitor End-user Activity Archived Reports

Step 2 Click Generate Report Now.

Step 3 Choose a report Type.

Step 4 Enter a descriptive Title for the report.

Avoid creating multiple reports with the same name.

Step 5 Choose a time range for the data included in the report.

Step 6 Select the Format for the generated report.

The default format is PDF. Most reports also allow you to save raw data as a CSV file.

Step 7 Depending on the type of report you configure, you can specify different report options, such as the number of rows to include and by which column to sort the data. Configure these options as necessary.

Step 8 Select one of the Delivery Options:

• Archive the report (the report will appear on the Archived Reports page).

• Email now to recipients; provide one or more email addresses.

Step 9 Choose a Report Language for the data.

Step 10 Click Deliver this Report to generate the report.

Step 11 Commit Changes.

Archived ReportsThe Reporting > Archived Reports page lists available archived reports. Each name in the Report Title column provides a link to a view of that report. The Show menu filters the types of reports that are listed. The column headings can be clicked to sort the data in each column.

The appliance stores up to 12 instances of each scheduled report (up to a total of 1000 reports). Archived reports are stored in the /periodic_reports directory on the appliance. Archived reports are deleted automatically. As new reports are added, older reports are removed to keep the number at 1000. The limit of 12 instances applies to each scheduled report with the same name and time range.


Chapter 18 Generate Reports to Monitor End-user Activity Archived Reports

C H A P T E R


19Web Security Appliance Reports

• Overview Page, page 19-2

• Users Page, page 19-3

• Web Sites Page, page 19-4

• URL Categories Page, page 19-4

• Application Visibility Page, page 19-5

• Anti-Malware Page, page 19-6

• Advanced Malware Protection Page, page 19-6

• File Analysis Page, page 19-6

• AMP Verdict Updates Page, page 19-6

• Client Malware Risk Page, page 19-7

• Web Reputation Filters Page, page 19-7

• L4 Traffic Monitor Page, page 19-8

• SOCKS Proxy Page, page 19-8

• Reports by User Location Page, page 19-9

• Web Tracking Page, page 19-9

• System Capacity Page, page 19-13

• System Status Page, page 19-13


Chapter 19 Web Security Appliance Reports Overview Page

Overview PageThe Reporting > Overview page provides a synopsis of the activity on the Web Security appliance. It includes graphs and summary tables for Web traffic processed by the Web Security appliance.

System Overview

Section Description

Web Proxy Traffic Characteristics

Listing of Average transactions per second in past minute, Average bandwidth (bps) in past minute, Average response time (ms) in past minute, and Total current connections.

System Resource Utilization Listing of current Overall CPU Load, RAM and Reporting / logging disk usage. Click System Status Details to switch to the System Status page (see System Status Page, page 19-13 for details).

Note The CPU utilization value shown on this page and the CPU value shown on the System Status page may differ slightly because they are read separately, at differing moments.

Time Range-based Categories and Summaries

Section Description

Time Range: Choose a time range for the data displayed in the following sections. Options are Hour, Day, Week, 30 Days, Yesterday, or a Custom Range.

Total Web Proxy Activity Displays the actual number of transactions (vertical scale) as well as the approximate date that the (Web Proxy) activity occurred (horizontal timeline).

Web Proxy Summary Allows you to view the percentage of Web Proxy activity that are suspect or clean Web Proxy activity.

L4 Traffic Monitor Summary Reports on traffic monitored and blocked by the L4 Traffic Monitor.

Suspect Transactions Allows you to view the web transactions that have been labeled as suspect by the various security components.

Displays the actual number of transactions as well as the approximate date that the activity occurred.

Suspect Transactions Summary Allows you to view the percentage of blocked or warned transactions that are suspect.

Top URL Categories: Total Transactions

Displays the top 10 URL categories that have been blocked.

Top Application Types: Total Transactions

Displays the top application types that have been blocked by the AVC engine.

Top Malware Categories: Monitored or Blocked

Displays all malware categories that have been detected.

Top Users: Blocked or Warned Transactions

Displays the users that are generating the blocked or warned transactions. Authenticated users are displayed username and unauthenticated users are displayed by IP address.


Chapter 19 Web Security Appliance Reports Users Page

Users PageThe Reporting > Users page provides several links that allows you to view web traffic information for individual users. You can view how much time users on the network have spent on the Internet or on a particular website or URL, and how much bandwidth users have used.

User Details PageThe User Details page displays information about a specific user selected in the Users Table on the Reporting > Users page.

Section Description

Time Range (drop-down list) A menu that allows to choose the time range of the data contained in the report.

Top Users by Transactions Blocked Lists the users (vertical scale) that have the greatest number of blocked transactions (horizontal scale).

Top Users by Bandwidth Used Displays the users (vertical scale) that are using the most bandwidth on the system (horizontal scale represented in gigabyte usage).

Users Table Lists individual users and displays multiple statistics on each user.

Section Description


URL Categories by Total Transactions

Lists the specific URL categories that a specific user is using.

Trend by Total Transaction Displays at what times the user accessed the web.

URL Categories Matched Shows all matched URL categories during a specified time range for both completed and blocked transactions.

Domains Matched Displays information about a specific Domain or IP address that this user has accessed.

Note If you export this Domains data to a csv file, be aware that only the first 300,000 entries are exported to the file.

Applications Matched Displays specific application that a specific user is using as detected by the AVC engine.

Malware Threats Detected Displays the top malware threats that a specific user is triggering.

Policies Matched Displays a specific policy that is being enforced on this particular user.


Chapter 19 Web Security Appliance Reports Web Sites Page

Web Sites PageThe Reporting > Web Sites page is an overall aggregation of the activity that is happening on the Web Security appliance.

URL Categories PageThe Reporting > URL Categories page can be used to view the URL categories that are being visited by users on the network. The URL Categories page can be used in conjunction with the Application Visibility Page and the Users Page to investigate a particular user and also what types of applications or websites that a particular user is trying to access.

Note The set of predefined URL categories is occasionally updated.

Section Description

Time Range (drop-down list) Menu allows you to choose the time range of the data contained in the report.

Top Domains by Total Transactions

Lists the top domains that are being visited on the site in a graph format.

Top Domains by Transactions Blocked

Lists the top domains that triggered a block action to occur per transaction in a graph format.

Domains Matched Lists the domains that are that are being visited on the site in an interactive table.

Note If you export this Domains data to a csv file, be aware that only the first 300,000 entries are exported to the file.

Section Description

Time Range (drop-down list) Choose the time range for your report.

Top URL Categories by Total Transactions

This section lists the top URL categories that are being visited on the site in a graph format.


Chapter 19 Web Security Appliance Reports Application Visibility Page

URL Category Set Updates and Reports

The set of predefined URL categories may periodically be updated automatically on your Web Security appliance.

When these updates occur, old category names will continue to appear in reports until the data associated with the older categories is too old to be included in reports. Report data generated after a URL category set update will use the new categories, so you may see both old and new categories in the same report.

Application Visibility PageThe Reporting > Application Visibility page shows the applications and application types used and blocked as detected by the Application Visibility and Control engine.

Top URL Categories by Blocked and Warned Transactions

Lists the top URL that triggered a block or warning action to occur per transaction in a graph format.

URL Categories Matched Shows the disposition of transactions by URL category during the specified time range, plus bandwidth used and time spent in each category.

If the percentage of uncategorized URLs is higher than 15-20%, consider the following options:

• For specific localized URLs, you can create custom URL categories and apply them to specific users or group policies.

• You can report uncategorized and misclassified and URLs to the Cisco for evaluation and database update.

• Verify that Web Reputation Filtering and Anti-Malware Filtering are enabled.

Section Description

Section Description


Top Application Types by Total Transactions

This section lists the top application types that are being visited on the site in a graph format.

Top Applications by Blocked Transactions

Lists the top application types that triggered a block action to occur per transaction in a graph format.

Application Types Matched Allows you to view granular details about the application types listed in the Top Applications Type by Total Transactions graph.

Applications Matched Shows all the application during a specified time range.


Chapter 19 Web Security Appliance Reports Anti-Malware Page

Anti-Malware PageThe Reporting > Anti-Malware page allows you to monitor and identify malware detected by the Cisco IronPort DVS engine.

Malware Category Report Page

Step 1 Choose Reporting > Anti-Malware.

Step 2 In the Malware Categories interactive table, click on a category in the Malware Category column.

Malware Threat Report Page

Step 1 Choose Reporting > Anti-Malware.

Step 2 In the Malware Threat table, click on a category in the Malware Category column.

Advanced Malware Protection PageSee File Reputation and File Analysis Reporting and Tracking, page 14-11.

File Analysis PageSee File Reputation and File Analysis Reporting and Tracking, page 14-11.

AMP Verdict Updates Page See File Reputation and File Analysis Reporting and Tracking, page 14-11.

Section Description


Top Malware Categories Detected Displays the top malware categories detected by the DVS engine.

Top Malware Threats Detected Displays the top malware threats detected by the DVS engine.

Malware Categories Displays information about particular malware categories that are shown in the Top Malware Categories Detected section.

Malware Threats Displays information about particular malware threats that are shown in the Top Malware Threats section.


Chapter 19 Web Security Appliance Reports Client Malware Risk Page

Client Malware Risk PageThe Reporting > Client Malware Risk page is a security-related reporting page that can be used to monitor client malware risk activity. The Client Malware Risk page also lists client IP addresses involved in frequent malware connections, as identified by the L4 Traffic Monitor (L4TM).

Client Detail Page for Web Proxy - Clients by Malware Risk The Client Details page shows all the web activity and malware risk data for a particular client during the specified time range.

Step 1 Choose Reporting > Client Malware Risk.

Step 2 In the Web Proxy - Client Malware Risk section, click a user name in the “User ID / Client IP Address” column.

Related Topics

• User Details Page, page 23-3

Web Reputation Filters PageThe Reporting > Web Reputation Filters page is a security-related reporting page that allows you to view the results of your set Web Reputation Filters for transactions during a specified time range.

Section Description

Time Range (drop-down list) A menu that allows you to choose the time range of the data contained in the report.

Web Proxy: Top Clients by Malware Risk

This chart displays the top ten users that have encountered a malware risk.

L4 Traffic Monitor: Malware Connections Detected

This chart displays the IP addresses of the computers in your organization that most frequently connect to malware sites.

Web Proxy: Clients by Malware Risk

The Web Proxy: Clients by Malware Risk table shows detailed information about particular clients that are displayed in the Web Proxy: Top Clients by Malware Risk section.

L4 Traffic Monitor: Clients by Malware Risk

This table displays IP addresses of computers in your organization that frequently connect to malware sites.

Section Description


Web Reputation Actions (Trend) Displays the total number of web reputation actions (vertical) against the time specified (horizontal timeline).


Chapter 19 Web Security Appliance Reports L4 Traffic Monitor Page

L4 Traffic Monitor PageThe Reporting > L4 Traffic Monitor page is a security-related reporting page that displays information about malware ports and malware sites that the L4 Traffic Monitor has detected during the specified time range. It also displays IP addresses of clients that frequently encounter malware sites.

The L4 Traffic Monitor listens to network traffic that comes in over all ports on the appliance and matches domain names and IP addresses against entries in its own database tables to determine whether to allow incoming and outgoing traffic.

SOCKS Proxy Page The Reporting > SOCKS Proxy Page allows you to view data and trends for transactions processed through the SOCKS proxy, including information about top destinations and users.

Web Reputation Actions (Volume) Displays the web reputation action volume in percentages by transactions.

Web Reputation Threat Types by Blocked Transactions

Displays the threat types that were blocked due to a low reputation score.

Web Reputation Threat Types by Scanned Further Transactions

Displays the threat types that resulted in a reputation score that indicated to scan the transaction.

Web Reputation Actions (Breakdown by Score)

Displays the web reputation scores broken down for each action.

Section Description

Section Description

Time Range (drop-down list) A menu that allows you to choose a time range on which to report.

Top Client IPs Displays, in graph format, the IP addresses of computers in your organization that most frequently connect to malware sites.

Top Malware Sites Displays, in graph format, the top malware domains detected by the L4 Traffic Monitor.

Client Source IPs Displays the IP addresses of computers in your organization that frequently connect to malware sites.

Malware Ports Displays the ports on which the L4 Traffic Monitor has most frequently detected malware.

Malware Sites Detected Displays the domains on which the L4 Traffic Monitor most frequently detects malware.


Chapter 19 Web Security Appliance Reports Reports by User Location Page

Reports by User Location PageThe Reporting > Reports by User Location page allows you to find out what activities your local and remote users are conducting.

Activities include:

• URL categories that are being accessed by the local and remote users.

• Anti-Malware activity that is being triggered by sites the local and remote users are accessing.

• Web Reputation of the sites being accessed by the local and remote users.

• Applications that are being accessed by the local and remote users.

• Users (local and remote).

• Domains accessed by local and remote users.

Web Tracking Page Use the Web Tracking page to search for and get details about individual transactions or patterns of transactions that may be of concern. Depending on your needs, search in one of the following tabs:

Section Description


Total Web Proxy Activity: Remote Users

Displays the activity of your remote users (vertical) over the specified time (horizontal).

Web Proxy Summary Displays a summary of the activities of the local and remote users on the network.

Total Web Proxy Activity: Local Users

Displays the activity of your remote users (vertical) over the specified time (horizontal).

Suspect Transactions Detected: Remote Users

Displays the suspect transactions that have been detected due to Access Policies defined for remote users (vertical) over the specified time (horizontal).

Suspect Transactions Summary Displays a summary of suspected transactions of the remote users on the network.

Suspect Transactions Detected: Local Users

Displays the suspect transactions that have been detected due to Access Policies defined for your remote users (vertical) over the specified time (horizontal).

Suspect Transactions Summary Displays a summary of suspected transactions of the local users on the network.


Chapter 19 Web Security Appliance Reports Web Tracking Page

Searching for Transactions Processed by the Web Proxy You can use the Proxy Services tab on the Reporting > Web Tracking page to track and report on web usage for a particular user or for all users.

You can view search results for the type of transactions logged (blocked, monitored, warned, and completed) during a particular time period. You can also filter the data results using several criteria, such as URL category, malware threat, and application.

Note The Web Proxy only reports on transactions that include an ACL decision tag other than “OTHER-NONE.

Step 1 Choose Reporting > Web Tracking.

Step 2 Click the Proxy Services tab.

Step 3 Configure the settings.

Web Tracking Page Link to Task

Transactions processed by the Web Proxy Searching for Transactions Processed by the Web Proxy, page 19-10

Transactions processed by the L4 Traffic Monitor

Searching for Transactions Processed by the L4 Traffic Monitor, page 19-12

Transactions processed by the SOCKS Proxy Searching for Transactions Processed by the SOCKS Proxy, page 19-12

Setting Description

Time Range Choose the time range on which to report.

User/Client IP (Optional) Enter an authentication username as it appears in reports or a client IP address that you want to track. You can also enter an IP range in CIDR format.

When you leave this field empty, the search returns results for all users.

Website (Optional) Enter a website that you want to track. When you leave this field empty, the search returns results for all websites.

Transaction Type

Choose the type of transactions that you want to track, either All Transactions, Completed, Blocked, Monitored, or Warned.



Step 4 (Optional) Expand the Advanced section and configure the fields to filter the web tracking results with more advanced criteria.

Step 5 Click Search.

Results are sorted by time stamp, with the most recent result at the top.

The number in parentheses below the “Display Details” link is the number of related transactions spawned by the user-initiated transaction, such as images loaded, javascripts run, and secondary sites accessed.

Step 6 (Optional) Click Display Details in the Transactions column to view more detailed information about each transaction.

Setting Description

URL Category To filter by a URL category, select Filter by URL Category and type the first letter of a URL category by which to filter. Choose the category from the list that appears.

Application To filter by an application, select Filter by Application and choose an application by which to filter.

To filter by an application type, select Filter by Application Type and choose an application type by which to filter.

Policy To filter by the name of the policy responsible for the final decision on this transaction, select Filter by Action Policy and enter a policy group name (Access Policy, Decryption Policy, or Data Security Policy) by which to filter. See the description for PolicyGroupName in the section Web Proxy Information in Access Log Files, page 21-13 for more information.


See About Web Tracking and Advanced Malware Protection Features, page 14-13.

Malware Threat To filter by a particular malware threat, select Filter by Malware Threat and enter a malware threat name by which to filter.

To filter by a malware category, select Filter by Malware Category and choose a malware category by which to filter.

WBRS In the WBRS section, you can filter by web reputation score and by a particular web reputation threat.

• To filter by web reputation score, select Score Range and select the upper and lower values by which to filter. Or, you can filter for websites that have no score by selecting No Score.

• To filter by web reputation threat, select Filter by Reputation Threat and enter a web reputation threat by which to filter.

AnyConnect Secure Mobility

To filter by the location of users (either remote or local), select Filter by User Location and choose a user type by which to filter.

User Request To filter by transactions that were initiated by the client, select Filter by User-Requested Transactions.

Note When you enable this filter, the search results include some “best guess” transactions.



Note If you need to view more than 1000 results, click the Printable Download link to obtain a CSV file that includes the complete set of raw data, excluding details of related transactions.

Tip If a URL in the results is truncated, you can find the full URL in the access log.

To view details for up to 500 related transactions, click the Related Transactions link.

Related Topics

• URL Category Set Updates and Reports, page 19-5


• About Web Tracking and Advanced Malware Protection Features, page 14-13

Searching for Transactions Processed by the L4 Traffic Monitor The L4 Traffic Monitor tab on the Reporting > Web Tracking page provides details about connections to malware sites and ports. You can search for connections to malware sites by the following types of information:

• Time range

• Site, using IP address or domain

• Port

• IP address associated with a computer in your organization

• Connection type

The first 1000 matching search results are displayed.

Searching for Transactions Processed by the SOCKS Proxy You can search for transactions that meet a variety of criteria, including blocked or completed transactions; users; and destination domain, IP address, or port.

Step 1 Choose Web > Reporting > Web Tracking.

Step 2 Click the SOCKS Proxy tab.

Step 3 To filter results, click Advanced.

Step 4 Enter search criteria.

Step 5 Click Search.

Related Topics

• SOCKS Proxy Page, page 19-8


Chapter 19 Web Security Appliance Reports System Capacity Page

System Capacity PageThe Reporting > System Capacity page displays current and historical information about resource usage on the Web Security appliance.

When choosing time ranges for viewing data on the System Capacity page, the following is important to remember:

• Hour Report. The Hour report queries the minute table and displays the exact number of items, such as bytes and connection, that have been recorded by the appliance on an minute by minute basis over a 60 minute period.

• Day Report. The Day report queries the hour table and displays the exact number of items, such as bytes and connection, that have been recorded by the appliance on an hourly basis over a 24 hour period. This information is gathered from the hour table.

The Week Report and 30 Days Report work similarly to the Hour and Day Reports.

System Status PageUse the Reporting > System Status page to monitor the System Status. This page displays the current status and configuration of the Web Security appliance.

This Section... Displays

Web Security Appliance Status

• System uptime

• System resource utilization — CPU usage, RAM usage, and percentage of disk space used for reporting and logging.

The CPU utilization value shown on this page and the CPU value shown on the system Overview page (Overview Page, page 19-2) may differ slightly because they are read separately, at differing moments.

RAM usage for a system that is working efficiently may be above 90%, because RAM that is not otherwise in use by the system is used by the web object cache. If your system is not experiencing serious performance issues and this value is not stuck at 100%, the system is operating normally.

Note Proxy Buffer Memory is one component that uses this RAM.

Proxy Traffic Characteristics

• Transactions per second

• Bandwidth

• Response time

• Cache hit rate

• Connections

High Availability


Chapter 19 Web Security Appliance Reports System Status Page

Related Topics

• System Capacity Page, page 19-13

External Services • Identity Services Engine

Current Configuration Web Proxy settings:

• Web Proxy Status — enabled or disabled.

• Deployment Topology.

• Web Proxy Mode — forward or transparent.

• IP Spoofing — enabled or disabled.

L4 Traffic Monitor settings:

• L4 Traffic Monitor Status — enabled or disabled.

• L4 Traffic Monitor Wiring.

• L4 Traffic Monitor Action — monitor or block.

Web Security Appliance Version Information

Hardware information

This Section... Displays

C H A P T E R


20Detecting Rogue Traffic on Non-Standard Ports

• Overview of Detecting Rogue Traffic, page 20-1

• Configuring the L4 Traffic Monitor, page 20-1

• List of Known Sites, page 20-2

• Configuring L4 Traffic Monitor Global Settings, page 20-2

• Updating L4 Traffic Monitor Anti-Malware Rules, page 20-2

• Creating a Policy to Detect Rogue Traffic, page 20-3

• Viewing L4 Traffic Monitor Activity, page 20-4

Overview of Detecting Rogue TrafficThe Web Security appliance has an integrated Layer-4 Traffic Monitor that detects rogue traffic across all network ports and stops malware attempts to bypass port 80. When internal clients are infected with malware and attempt to phone-home across non-standard ports and protocols, the L4 Traffic Monitor prevents phone-home activity from going outside the corporate network. By default, the L4 Traffic Monitor is enabled and set to monitor traffic on all ports. This includes DNS and other services.

The L4 Traffic Monitor uses and maintains its own internal database. This database is continuously updated with matched results for IP addresses and domain names.

Configuring the L4 Traffic Monitor

Step 1 Configure the L4 Traffic Monitor inside the firewall.

Step 2 Ensure the L4 Traffic Monitor is ‘logically’ connected after the proxy ports and before any device that performs network address translation (NAT) on client IP addresses.

Step 3 Configure the Global Settings See Configuring L4 Traffic Monitor Global Settings, page 20-2.

Step 4 Create L4 TrafficMonitor Policies See Creating a Policy to Detect Rogue Traffic, page 20-3.


Chapter 20 Detecting Rogue Traffic on Non-Standard Ports List of Known Sites

List of Known Sites

Configuring L4 Traffic Monitor Global Settings

Step 1 Choose Security Services > L4 Traffic Monitor.


Step 3 Choose whether or not to enable the L4 Traffic Monitor.

Step 4 When you enable the L4 Traffic Monitor, choose which ports it should monitor:

• All ports. Monitors all 65535 TCP ports for rogue activity.

• All ports except proxy ports. Monitors all TCP ports except the following ports for rogue activity.

– Ports configured in the “HTTP Ports to Proxy” property on the Security Services > Web Proxy page (usually port 80).

– Ports configured in the “Transparent HTTPS Ports to Proxy” property on the Security Services > HTTPS Proxy page (usually port 443).


Updating L4 Traffic Monitor Anti-Malware Rules

Step 1 Choose Security Services > L4 Traffic Monitor.

Address Description

Known allowed Any IP address or hostname listed in the Allow List property. These addresses appear in the log files as “whitelist” addresses.

Unlisted Any IP address that is not known to be a malware site nor is a known allowed address. They are not listed on the Allow List, Additional Suspected Malware Addresses properties, or in the L4 Traffic Monitor Database. These addresses do not appear in the log files.

Ambiguous These appear in the log files as “greylist” addresses and include:

– Any IP address that is associated with both an unlisted hostname and a known malware hostname.

– Any IP address that is associated with both an unlisted hostname and a hostname from the Additional Suspected Malware Addresses property

Known malware These appear in the log files as “blacklist” addresses and include:

– Any IP address or hostname that the L4 Traffic Monitor Database determines to be a known malware site and not listed in the Allow List.

– Any IP address that is listed in the Additional Suspected Malware Addresses property, not listed in the Allow List and is not ambiguous


Chapter 20 Detecting Rogue Traffic on Non-Standard Ports Creating a Policy to Detect Rogue Traffic

Step 2 Click Update Now.

Creating a Policy to Detect Rogue TrafficThe actions the L4 Traffic Monitor takes depends on the L4 Traffic Monitor policies you configure:

Step 1 Choose Web Security Manager > L4 Traffic Monitor.


Step 3 On the Edit L4 Traffic Monitor Policies page, configure the L4 Traffic Monitor policies:

a. Define the Allow List

b. Add known good sites to the Allow List

Note Do not include the Web Security appliance IP address or hostname to the Allow List otherwise the L4 Traffic Monitor does not block any traffic.

c. Determine which action to perform for Suspected Malware Addresses:

Note When you choose to block suspected malware traffic, you can also choose whether or not to always block ambiguous addresses. By default, ambiguous addresses are monitored.

Note If the L4 Traffic Monitor is configured to block, the L4 Traffic Monitor and the Web Proxy must be configured on the same network. Use the Network > Routes page to confirm that all clients are accessible on routes that are configured for data traffic.

d. Define the Additional Suspected Malware Addresses properties

Action Description

Allow It always allows traffic to and from known allowed and unlisted addresses

Monitor It monitors traffic under the following circumstances:

– When the Action for Suspected Malware Addresses option is set to Monitor, it always monitors all traffic that is not to or from a known allowed address.

– When the Action for Suspected Malware Addresses option is set to Block, it monitors traffic to and from ambiguous addresses

Block When the Action for Suspected Malware Addresses option is set to Block, it blocks traffic to and from known malware addresses


Chapter 20 Detecting Rogue Traffic on Non-Standard Ports Viewing L4 Traffic Monitor Activity

Note Adding internal IP addresses to the Additional Suspected Malware Addresses list causes legitimate destination URLs to show up as malware in L4 Traffic Monitor reports. To avoid this do not enter internal IP addresses in the “Additional Suspected Malware Addresses” field on the Web Security Manager > L4 Traffic Monitor Policies page.


Related Topics

• Overview of Detecting Rogue Traffic, page 20-1

• Valid Formats, page 20-4.

Valid Formats

When you add addresses to the Allow List or Additional Suspected Malware Addresses properties, separate multiple entries with whitespace or commas. You can enter addresses in any of the following formats:

• IPv4 IP address. Example: IPv4 format: 10.1.1.0. IPv6 format: 2002:4559:1FE2::4559:1FE2

• CIDR address. Example: 10.1.1.0/24.

• Domain name. Example: example.com.

• Hostname. Example: crm.example.com.

Viewing L4 Traffic Monitor ActivityThe S-Series appliance supports several options for generating feature specific reports and interactive displays of summary statistics.

Monitoring Activity and Viewing Summary StatisticsThe Reporting > L4 Traffic Monitor page provides statistical summaries of monitoring activity. You can use the following displays and reporting tools to view the results of L4 Traffic Monitor activity:

To view... See...

Client statistics Reporting > Client Activity

Malware statistics

Port statistics

Reporting > L4 Traffic Monitor

L4 Traffic Monitor log files System Administration > Log Subscriptions

• trafmon_errlogs

• trafmonlogs



Note If the Web Proxy is configured as a forward proxy and L4 Traffic Monitor is set to monitor all ports, the IP address of the proxy’s data port is recorded and displayed as a client IP address in the client activity report on the Reporting > Client Activity page. If the Web Proxy is configured as a transparent proxy, enable IP spoofing to correctly record and display the client IP addresses.

L4 Traffic Monitor Log File EntriesThe L4 Traffic Monitor log file provides a detailed record of monitoring activity.



C H A P T E R


21Monitor System Activity Through Logs

• Overview of Logging, page 21-1

• Common Tasks for Logging, page 21-2

• Best Practices for Logging, page 21-2

• Troubleshooting Web Proxy Issues Using Logs, page 21-2

• Log File Types, page 21-3

• Adding and Editing Log Subscriptions, page 21-7

• Pushing Log Files to Another Server, page 21-11

• Archiving Log Files, page 21-11

• Log File Names and Appliance Directory Structure, page 21-12

• Viewing Log Files, page 21-13

• Web Proxy Information in Access Log Files, page 21-13

• Interpreting Access Log Scanning Verdict Entries, page 21-20

• W3C Compliant Access Log Files, page 21-24

• Customizing Access Logs, page 21-26

• Traffic Monitor Log Files, page 21-29

• Log File Fields and Tags, page 21-30

• Troubleshooting Logging, page 21-41

Overview of LoggingThe Web Security appliance records its own system and traffic management activities by writing them to log files. Administrators can consult these log files to monitor and troubleshoot the appliance.

The appliance divides different types of activity into different logging types to simplify the task of finding information on specific activities. The majority of these are automatically enabled by default, but some must be manually enabled as required.

You enable and manage log files through log file subscriptions. Subscriptions allow you to define the settings for creating, customizing, and managing log files.

The two main log files types typically used by administrators are:

• Access log. This records all Web Proxy filtering and scanning activity.

• Traffic Monitor log. This records all Layer-4 Traffic Monitor activity.


Chapter 21 Monitor System Activity Through Logs Common Tasks for Logging

You can view current and past appliance activity using these and other log types. Reference tables are available to help you interpret log file entries.

Related Topics

• Common Tasks for Logging, page 21-2


Common Tasks for Logging

Best Practices for Logging• Minimizing the number of log subscriptions will benefit system performance.

• Logging fewer details will benefit system performance.

Troubleshooting Web Proxy Issues Using LogsBy default, the Web Security appliance has one log subscription created for Web Proxy logging messages, called the “Default Proxy Logs.” This captures basic information on all Web Proxy modules. The appliance also includes log file types for each Web Proxy module so you can read more specific debug information for each module without cluttering up the Default Proxy Logs.

Follow the steps below to troubleshoot Web Proxy issues using the various logs available.

Step 1 Read the Default Proxy Logs.

Step 2 If you see an entry that might related to the issue but does not have enough information to resolve it, create a log subscription for the relevant specific Web Proxy module. The following Web Proxy module logs types are available:

Task Links to Related Topics and Procedures

Troubleshoot web proxy issues using logs Troubleshooting Web Proxy Issues Using Logs, page 21-2

Add and edit log subscriptions Adding and Editing Log Subscriptions, page 21-7

View log files Viewing Log Files, page 21-13

Interpret log files Interpreting Access Log Scanning Verdict Entries, page 21-20

Customize log files Customizing Access Logs, page 21-26

Push log files to another server Pushing Log Files to Another Server, page 21-11

Archiving log files Archiving Log Files, page 21-11


Chapter 21 Monitor System Activity Through Logs Log File Types

Step 3 Recreate the issue and read the new Web Proxy module log for relevant entries.

Step 4 Repeat as required with other Web Proxy module logs.

Step 5 Remove subscriptions that are no longer required.

Related Topics



Log File TypesSome log types related to the web proxy component are not enabled. The main web proxy log type, called the “Default Proxy Logs,” is enabled by default and captures basic information on all Web Proxy modules. Each Web Proxy module also has its own log type that you can manually enable as required.

The following table describes the Web Security appliance log file types.

Access Control Engine Logs

AVC Engine Framework Logs

Configuration Logs

Connection Management Logs

Data Security Module Logs

DCA Engine Framework Logs

Disk Manager Logs

FireAMP

FTP Proxy Logs

HTTPS Logs

License Module Logs

Logging Framework Logs

McAfee Integration Framework Logs

Memory Manager Logs

Miscellaneous Proxy Modules Logs

Request Debug Logs

SNMP Module Logs

Sophos Integration Framework Logs

WBRS Framework Logs

WCCP Module Logs

Webcat Integration Framework Logs

Webroot Integration Framework Logs

Log File Type DescriptionSupports Syslog Push?

Enabled by Default?

Access Control Engine Logs

Records messages related to the Web Proxy ACL (access control list) evaluation engine.

No No

AMP Engine Logs Records information about file reputation scanning and file analysis (Advanced Malware Protection.)

See also Log Files, page 14-17.

Yes Yes

Audit Logs Records AAA (Authentication, Authorization, and Accounting) events. Records all user interaction with the application and command-line interfaces, and captures committed changes.

Yes Yes

Access Logs Records Web Proxy client history. Yes Yes



Authentication Framework Logs

Records authentication history and messages. No Yes

AVC Engine Framework Logs

Records messages related to communication between the Web Proxy and the AVC engine.

No No

AVC Engine Logs Records debug messages from the AVC engine. Yes Yes

CLI Audit Logs Records a historical audit of command line interface activity.

Yes Yes

Configuration Logs Records messages related to the Web Proxy configuration management system.

No No

Connection Management Logs

Records messages related to the Web Proxy connection management system.

No No

Data Security Logs Records client history for upload requests that are evaluated by the Cisco Data Security Filters.

Yes Yes

Data Security Module Logs

Records messages related to the Cisco Data Security Filters.

No No

DCA Engine Framework Logs

(Dynamic Content Analysis)

Records messages related to communication between the Web Proxy and the Cisco Web Usage Controls Dynamic Content Analysis engine.

No No

DCA Engine Logs

(Dynamic Content Analysis)

Records messages related to the Cisco Web Usage Controls Dynamic Content Analysis engine.

Yes Yes

Default Proxy Logs Records errors related to the Web Proxy.

This is the most basic of all Web Proxy related logs. To troubleshoot more specific aspects related to the Web Proxy, create a log subscription for the applicable Web Proxy module.

Yes Yes

Disk Manager Logs Records Web Proxy messages related to writing to the cache on disk.

No No

External Authentication Logs

Records messages related to using the external authentication feature, such as communication success or failure with the external authentication server.

Even with external authentication is disabled, this log contains messages about local users successfully or failing logging in.

No Yes

Feedback Logs Records the web users reporting misclassified pages.

Yes Yes

FTP Proxy Logs Records error and warning messages related to the FTP Proxy.

No No

FTP Server Logs Records all files uploaded to and downloaded from the Web Security appliance using FTP.

Yes Yes


Enabled by Default?



GUI Logs

(Graphical User Interface)

Records history of page refreshes in the web interface. GUI logs also include information about SMTP transactions, for example information about scheduled reports emailed from the appliance.

Yes Yes

Haystack Logs Haystack logs record web transaction tracking data processing.

Yes Yes

HTTPS Logs Records Web Proxy messages specific to the HTTPS Proxy (when the HTTPS Proxy is enabled).

No No

ISE Server Logs Records ISE server(s) connection and operational information.

Yes Yes

License Module Logs

Records messages related to the Web Proxy’s license and feature key handling system.

No No

Logging Framework Logs

Records messages related to the Web Proxy’s logging system.

No No

Logging Logs Records errors related to log management. Yes Yes

McAfee Integration Framework Logs

Records messages related to communication between the Web Proxy and the McAfee scanning engine.

No No

McAfee Logs Records the status of anti-malware scanning activity from the McAfee scanning engine.

Yes Yes

Memory Manager Logs

Records Web Proxy messages related to managing all memory including the in-memory cache for the Web Proxy process.

No No

Miscellaneous Proxy Modules Logs

Records Web Proxy messages that are mostly used by developers or customer support.

No No

AnyConnect Secure Mobility Daemon Logs

Records the interaction between the Web Security appliance and the AnyConnect client, including the status check.

Yes Yes

NTP Logs

(Network Time Protocol)

Records changes to the system time made by the Network Time Protocol.

Yes Yes

PAC File Hosting Daemon Logs

Records proxy auto-config (PAC) file usage by clients.

Yes Yes

Proxy Bypass Logs Records transactions that bypass the Web Proxy. No Yes

Reporting Logs Records a history of report generation. Yes Yes

Reporting Query Logs

Records errors related to report generation. Yes Yes


Enabled by Default?



Request Debug Logs Records very detailed debug information on a specific HTTP transaction from all Web Proxy module log types. You might want to create this log subscription to troubleshoot a proxy issue with a particular transaction without creating all other proxy log subscriptions.

Note: You can create this log subscription in the CLI only.

No No

Auth Logs Records messages related to the Access Control feature.

Yes Yes

SHD Logs

(System Health Daemon)

Records a history of the health of system services and a history of unexpected daemon restarts.

Yes Yes

SNMP Logs Records debug messages related to the SNMP network management engine.

Yes Yes

SNMP Module Logs Records Web Proxy messages related to interacting with the SNMP monitoring system.

No No

Sophos Integration Framework Logs

Records messages related to communication between the Web Proxy and the Sophos scanning engine.

No No

Sophos Logs Records the status of anti-malware scanning activity from the Sophos scanning engine.

Yes Yes

Status Logs Records information related to the system, such as feature key downloads.

Yes Yes

System Logs Records DNS, error, and commit activity. Yes Yes

Traffic Monitor Error Logs

Records L4TM interface and capture errors. Yes Yes

Traffic Monitor Logs

Records sites added to the L4TM block and allow lists.

No Yes

UDS Logs

(User Discovery Service)

Records data about how the Web Proxy discovers the user name without doing actual authentication. It includes information about interacting with the Cisco adaptive security appliance for the Secure Mobility as well as integrating with the Novell eDirectory server for transparent user identification.

Yes Yes

Updater Logs Records a history of WBRS and other updates. Yes Yes

W3C Logs Records Web Proxy client history in a W3C compliant format.

For more information, see W3C Compliant Access Log Files, page 21-24.

Yes No

WBNP Logs

(SensorBase Network Participation)

Records a history of Cisco SensorBase Network participation uploads to the SensorBase network.

No Yes


Enabled by Default?


Chapter 21 Monitor System Activity Through Logs Adding and Editing Log Subscriptions

Adding and Editing Log SubscriptionsYou can create multiple log subscriptions for each type of log file. Subscriptions include configuration details for archiving and storage, including these:

– Rollover settings, which determine when log files are archived.

– Compression settings for archived logs.

– Retrieval settings for archived logs, which specifies whether logs are archived onto a remote server or stored on the appliance.

Step 1 Choose System Administration > Log Subscriptions.

Step 2 To add a log subscription, click Add Log Subscription. Or, to edit a log subscription, click the name of the log file in the Log Name field.

Step 3 Configure the subscription:

WBRS Framework Logs

(Web Reputation Score)

Records messages related to communication between the Web Proxy and the Web Reputation Filters.

No No

WCCP Module Logs Records Web Proxy messages related to implementing WCCP.

No No

Webcat Integration Framework Logs

Records messages related to communication between the Web Proxy and the URL filtering engine associated with Cisco Web Usage Controls.

No No

Webroot Integration Framework Logs

Records messages related to communication between the Web Proxy and the Webroot scanning engine.

No No

Webroot Logs Records the status of anti-malware scanning activity from the Webroot scanning engine.

Yes Yes

Welcome Page Acknowledgement Logs

Records a history of web clients who click the Accept button on the end-user acknowledgement page.

Yes Yes


Enabled by Default?

Option Description

Log Type A list of available log file types that you can subscribe to. The other options on the page may change according to log file type you choose.

Note The Request Debug Logs log type can only be subscribed to using the CLI and does not appear on this list.

Log Name The name used to refer to the subscription on the Web Security appliance. This name is also used for the log directory which will store the log files for the subscription.



Rollover by File Size The maximum file size to which the current log file can grow before it is archived and a new log file started. Enter a number between 100 kilobytes and 10 gigabytes.

Rollover by Time The maximum time interval before the current log file is archived and a new log file started. The following interval types are available:

• None. AsyncOS only performs a rollover when the log file reaches the maximum file size.

• Custom Time Interval. AsyncOS performs a rollover after a specified amount of time has passed since the previous rollover. Specify the number of days, hours, minutes, and seconds between rollovers using d, h, m, and s as suffixes.

• Daily Rollover. AsyncOS performs a rollover every day at a specified time. Separate multiple times a day using a comma. Use an asterisk (*) for the hour to have rollover occur every hour during the day. You can also use an asterisk to rollover every minute of an hour.

• Weekly Rollover. AsyncOS performs a rollover on one or more days of the week at a specified time.

Log Style

(Access Logs)

Specifies the log format to use, either Squid, Apache, or Squid Details.

Custom Fields

(Access Logs)

Allows you to include custom information in each access log entry.

The syntax for entering format specifiers in the Custom Field is as follows:

<format_specifier_1> <format_specifier_2> ...

For example: %a %b %E

You can add tokens before the format specifiers to display descriptive text in the access log file. For example:

client_IP %a body_bytes %b error_type %E

where client_IP is the description token for log format specifier %a, and so on.

File Name The name of the log files. Current log files are appended with a .c extension and rolled over log files are appended with the file creation timestamp and a .s extension.

Option Description



Log Fields

(W3C Access Logs)

Allows you to choose the fields you want to include in the W3C access log.

Select a field in the Available Fields list, or type a field in the Custom Field box, and click Add.

The order the fields appear in the Selected Log Fields list determines the order of fields in the W3C access log file. You can change the order of fields using the Move Up and Move Down buttons. You can remove a field by selecting it in the Selected Log Fields list and clicking Remove.

You can enter multiple user defined fields in the Custom Fields box and add them simultaneously as long as each entry is separated by a new line (click Enter) before clicking Add.

When you change the log fields included in a W3C log subscription, the log subscription automatically rolls over. This allows the latest version of the log file to include the correct new field headers.

Log Compression Specifies whether or not rolled over files are compressed. AsyncOS compresses log files using the gzip compression format.

Log Exclusions (Optional)

(Access Logs)

Allows you to specify HTTP status codes (4xx or 5xx only) to exclude the associated transactions from an access log or a W3C access log.

For example, entering 401 will filter out authentication failure requests that have that transaction number.

Log Level Specifies the level of detail for log entries. Choose from:

• Critical. Includes errors only. This is the least detailed setting and is equivalent to the syslog level “Alert.”

• Warning. Includes errors and warnings. This log level is equivalent to the syslog level “Warning.”

• Information. Includes errors, warnings and additional system operations. This is the default detail level and is equivalent to the syslog level “Info.”

• Debug. Includes data useful for debugging system problems. Use the Debug log level when you are trying to discover the cause of an error. Use this setting temporarily, and then return to the default level. This log level is equivalent to the syslog level “Debug.”

• Trace. This is the most detailed setting. This level includes a complete record of system operations and activity. The Trace log level is recommended only for developers. Using this level causes a serious degradation of system performance and is not recommended. This log level is equivalent to the syslog level “Debug.”

Note More detailed settings create larger log files and have a greater impact on system performance.

Retrieval Method Specifies where rolled over log files are stored and how they are retrieved for reading. See below for descriptions of the available methods.

Option Description




Retrieval Method:

FTP on Appliance

The FTP on Appliance method (equivalent to FTP Poll) requires a remote FTP client accessing the appliance to retrieve log files using an admin or operator user’s username and passphrase.

When you choose this method, you must enter the maximum number of log files to store on the appliance. When the maximum number is reached, the system deletes the oldest file.

This is the default retrieval method.

Retrieval Method:

FTP on Remote Server

The FTP on Remote Server method (equivalent to FTP Push) periodically pushes log files to an FTP server on a remote computer.

When you choose this method, you must enter the following information:

• FTP server hostname

• Directory on FTP server to store the log file

• Username and passphrase of a user that has permission to connect to the FTP server

Note AsyncOS for Web only supports passive mode for remote FTP servers. It cannot push log files to an FTP server in active mode.

Retrieval Method:

SCP on Remote Server

The SCP on Remote Server method (equivalent to SCP Push) periodically pushes log files using the secure copy protocol to a remote SCP server. This method requires an SSH SCP server on a remote computer using the SSH2 protocol. The subscription requires a user name, SSH key, and destination directory on the remote computer. Log files are transferred based on a rollover schedule set by you.


• SCP server hostname

• Directory on SCP server to store the log file

• Username of a user that has permission to connect to the SCP server

Retrieval Method:

Syslog Push

You can only choose syslog for text-based logs.

The Syslog Push method sends log messages to a remote syslog server on port 514. This method conforms to RFC 3164.


• Syslog server hostname

• Protocol to use for transmission, either UDP or TCP

• Maximum message size

Valid values for UDP are 1024 to 9216.

Valid values for TCP are 1024 to 65535.

Maximum message size depends on the syslog server configuration.

• Facility to use with the log

Option Description


Chapter 21 Monitor System Activity Through Logs Pushing Log Files to Another Server

What to Do Next

• If you chose SCP as the retrieval method, notice that the appliance displays an SSH key, which you will add to the SCP server host. See Pushing Log Files to Another Server, page 21-11.

Related Topics



Pushing Log Files to Another ServerBefore You Begin

• Create or edit the desired log subscription, choosing SCP as the retrieval method. Adding and Editing Log Subscriptions, page 21-7

Step 1 Add keys to the remote system:

a. Access the CLI.

b. Enter the logconfig -> hostkeyconfig command.

c. Use the commands below to display the keys:

d. Add these keys to the remote system.

Step 2 Still in the CLI, add the remote server’s SSH public host key to the appliance:

e. Commit your changes.

Archiving Log FilesAsyncOS archives (rolls over) log subscriptions when a current log file reaches a user-specified limit of maximum file size or maximum time since last rollover.

These archive settings are included in log subscriptions:

• Rollover by File Size

• Rollover by Time

Command Description

Host Display system host keys. This is the value to place in the remote system’s ‘known_hosts’ file.

User Displays the public key of the system account that pushes the logs to the remote machine. This is the same key that is displayed when setting up an SCP push subscription. This is the value to place in the remote system’s ‘authorized_keys’ file.

Command Description

New Add a new key.

Fingerprint Display system host key fingerprints.


Chapter 21 Monitor System Activity Through Logs Log File Names and Appliance Directory Structure

• Log Compression

• Retrieval Method

You can also manually archive (rollover) log files.


Step 2 Check the checkbox in the Rollover column of the log subscriptions you wish to archive, or check the All checkbox to select all the subscriptions.

Step 3 Click Rollover Now to archive the selected logs.

Related Topics



Log File Names and Appliance Directory StructureThe appliance creates a directory for each log subscription based on the log subscription name. The name of the log file in the directory is composed of the following information:

• Log file name specified in the log subscription

• Timestamp when the log file was started

• A single-character status code, either .c (signifying current) or .s (signifying saved)

The filename of logs are made using the following formula:

/LogSubscriptionName/[email protected]

Note You should only transfer log files with the saved status.

Reading and Interpreting Log FilesYou can read current log file activity as a means of monitoring and troubleshooting the Web Security appliance. This is done using the appliance interface.

You can also read archived files for a record of past activity. This can be done using the appliance interface if the archived files are stored on the appliance; otherwise they must be read from their external storage location using an appropriate method.

Each item of information in a log file is represented by a field variable. By determining which fields represent which items of information, you can look up the field function and interpret the log file contents. For W3C compliant access logs, the file header lists field names in the order in which they appear in log entries. For standard Access logs, however, you must consult the documentation regarding this log type for information on its field order.

Related Topics

• Viewing Log Files, page 21-13.

• Web Proxy Information in Access Log Files, page 21-13.


Chapter 21 Monitor System Activity Through Logs Viewing Log Files

• Interpreting W3C Access Logs, page 21-24.

• Interpreting Traffic Monitor Logs, page 21-29.

• Log File Fields and Tags, page 21-30.

Viewing Log FilesBefore You Begin

• Be aware that this method of viewing is for log files that are stored on the appliance. The process of viewing files stored externally goes beyond the scope of this documentation.


Step 2 Click the name of the log subscription in the Log Files column of the list of log subscriptions.

Step 3 When prompted, enter the administers username and passphrase for accessing the appliance.

Step 4 When logged in, click one of the log files to view it in your browser or to save it to disk.

Step 5 Refresh the browser for updated results.

Note If a log subscription is compressed, download, decompress, and then open it.

Related Topics



• Interpreting Traffic Monitor Logs, page 21-29.

Web Proxy Information in Access Log FilesAccess log files provides a descriptive record of all Web Proxy filtering and scanning activity. Access log file entries display a record of how the appliance handled each transaction.

Access logs are available in two formats: Standard and W3C compliant. W3C-compliant log files are more customizable with regard to their content and layout than standard Access logs.

The following text is an example access log file entry for a single transaction:

1278096903.150 97 172.xx.xx.xx TCP_MISS/200 8187 GET http://my.site.com/ - DIRECT/my.site.com text/plain DEFAULT_CASE_11-PolicyGroupName-Identity-OutboundMalwareScanningPolicy-DataSecurityPolicy-ExternalDLPPolicy-RoutingPolicy <IW_comp,6.9,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","-","Unknown","Unknown","-","-",198.34,0,-,[Local],"-",37,"W32.CiscoTestVector",33,0,"WSA-INFECTED-FILE.pdf","fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e”> -


Chapter 21 Monitor System Activity Through Logs Web Proxy Information in Access Log Files

Format Specifier Field Value Field Description

%t 1278096903.150 Timestamp since UNIX epoch.

%e 97 Elapsed time (latency) in milliseconds.

%a 172.xx.xx.xx Client IP address.

Note: You can choose to mask the IP address in the access logs using the advancedproxyconfig > authentication CLI command.

%w TCP_MISS Transaction result code.

For more information, see W3C Compliant Access Log Files, page 21-24.

%h 200 HTTP response code.

%s 8187 Response size (headers + body).

%2r GET http://my.site.com/ First line of the request.

Note: When the first line of the request is for a native FTP transaction, some special characters in the file name are URL encoded in the access logs. For example, the “@” symbol is written as “%40” in the access logs.

The following characters are URL encoded:

& # % + , : ; = @ ^ { } [ ]

%A - Authenticated username.

Note: You can choose to mask the username in the access logs using the advancedproxyconfig > authentication CLI command.

%H DIRECT Code that describes which server was contacted for the retrieving the request content.

Most common values include:

• NONE. The Web Proxy had the content, so it did not contact any other server to retrieve the content.

• DIRECT. The Web Proxy went to the server named in the request to get the content.

• DEFAULT_PARENT. The Web Proxy went to its primary parent proxy or an external DLP server to get the content.

%d my.site.com Data source or server IP address.

%c text/plain Response body MIME type.

%D DEFAULT_CASE_11 ACL decision tag.

Note: The end of the ACL decision tag includes a dynamically generated number that the Web Proxy uses internally. You can ignore this number.

For more information, see ACL Decision Tags, page 21-16.



N/A (Part of the ACL decision tag)

PolicyGroupName Name of policy group responsible for the final decision on this transaction (Access Policy, Decryption Policy, or Data Security Policy). When the transaction matches a global policy, this value is “DefaultGroup.”

Any space in the policy group name is replaced with an underscore ( _ ).


Identity Identity policy group name.



OutboundMalwareScanning

Policy Outbound Malware Scanning Policy group name.



DataSecurityPolicy Cisco IronPort Data Security Policy group name. When the transaction matches the global Cisco IronPort Data Security Policy, this value is “DefaultGroup.” This policy group name only appears when Cisco IronPort Data Security Filters is enabled. “NONE” appears when no Data Security Policy was applied.



ExternalDLPPolicy External DLP Policy group name. When the transaction matches the global External DLP Policy, this value is “DefaultGroup.” “NONE” appears when no External DLP Policy was applied.



RoutingPolicy Routing Policy group name as ProxyGroupName/ProxyServerName.

When the transaction matches the global Routing Policy, this value is “DefaultRouting.” When no upstream proxy server is used, this value is “DIRECT.”


%Xr <IW_comp,6.9,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","-","Unknown","Unknown","-","-",198.34,0,-,[Local],"-",37,"W32.CiscoTestVector",33,0,"WSA-INFECTED-FILE.pdf","fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e”>

Scanning verdict information. Inside the angled brackets, the access logs include verdict information from various scanning engines.

For more information about the values included within the angled brackets, see Interpreting Access Log Scanning Verdict Entries, page 21-20 and Malware Scanning Verdict Values, page 21-40.

%?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%.

- Suspect user agent.

Format Specifier Field Value Field Description



Transaction Result CodesTransaction result codes in the access log file describe how the appliance resolves client requests. For example, if a request for an object can be resolved from the cache, the result code is TCP_HIT. However, if the object is not in the cache and the appliance pulls the object from an origin server, the result code is TCP_MISS. The following table describes transaction result codes.

ACL Decision TagsAn ACL decision tag is a field in an access log entry that indicates how the Web Proxy handled the transaction. It includes information from the Web Reputation filters, URL categories, and the scanning engines.

Note The end of the ACL decision tag includes a dynamically generated number that the Web Proxy uses internally to increase performance. You can ignore this number.

The following table describes the ACL decision tag values.

Result Code Description

TCP_HIT The object requested was fetched from the disk cache.

TCP_IMS_HIT The client sent an IMS (If-Modified-Since) request for an object and the object was found in the cache. The proxy responds with a 304 response.

TCP_MEM_HIT The object requested was fetched from the memory cache.

TCP_MISS The object was not found in the cache, so it was fetched from the origin server.

TCP_REFRESH_HIT The object was in the cache, but had expired. The proxy sent an IMS (If-Modified-Since) request to the origin server, and the server confirmed that the object has not been modified. Therefore, the appliance fetched the object from either the disk or memory cache.

TCP_CLIENT_REFRESH_MISS The client sent a “don’t fetch response from cache” request by issuing the ‘Pragma: no-cache’ header. Due to this header from the client, the appliance fetched the object from the origin server.

TCP_DENIED The client request was denied due to Access Policies.

UDP_MISS The object was fetched from the origin server.

NONE There was an error in the transaction. For example, a DNS failure or gateway timeout.

ACL Decision Tag DescriptionALLOW_ADMIN_ERROR_PAGE The Web Proxy allowed the transaction to an notification page

and to any logo used on that page.

ALLOW_CUSTOMCAT The Web Proxy allowed the transaction based on custom URL category filtering settings for the Access Policy group.

ALLOW_REFERER The Web Proxy allowed the transaction based on an embedded/referred content exemption.

ALLOW_WBRS The Web Proxy allowed the transaction based on the Web Reputation filter settings for the Access Policy group.



BLOCK_ADMIN Transaction blocked based on some default settings for the Access Policy group.

BLOCK_ADMIN_CONNECT Transaction blocked based on the TCP port of the destination as defined in the HTTP CONNECT Ports setting for the Access Policy group.

BLOCK_ADMIN_CUSTOM_USER_AGENT Transaction blocked based on the user agent as defined in the Block Custom User Agents setting for the Access Policy group.

BLOCK_ADMIN_HTTPS_NonLocalDestination

Transaction blocked; client tried to bypass authentication using the SSL port as an explicit proxy. To prevent this, if an SSL connection is to the WSA itself, only requests to the actual WSA redirect hostname are allowed.

BLOCK_ADMIN_IDS Transaction blocked based on the MIME type of the request body content as defined in the Data Security Policy group.

BLOCK_ADMIN_FILE_TYPE Transaction blocked based on the file type as defined in the Access Policy group.

BLOCK_ADMIN_PROTOCOL Transaction blocked based on the protocol as defined in the Block Protocols setting for the Access Policy group.

BLOCK_ADMIN_SIZE Transaction blocked based on the size of the response as defined in the Object Size settings for the Access Policy group.

BLOCK_ADMIN_SIZE_IDS Transaction blocked based on the size of the request body content as defined in the Data Security Policy group.

BLOCK_AMP_RESP The Web Proxy blocked the response based on the Advanced Malware Protection settings for the Access Policy group.

BLOCK_AMW_REQ The Web Proxy blocked the request based on the Anti-Malware settings for the Outbound Malware Scanning Policy group. The request body produced a positive malware verdict.

BLOCK_AMW_RESP The Web Proxy blocked the response based on the Anti-Malware settings for the Access Policy group.

BLOCK_AMW_REQ_URL The Web Proxy suspects the URL in the HTTP request might not be safe, so it blocked the transaction at request time based on the Anti-Malware settings for the Access Policy group.

BLOCK_AVC Transaction blocked based on the configured Application settings for the Access Policy group.

BLOCK_CONTENT_UNSAFE Transaction blocked based on the site content ratings settings for the Access Policy group. The client request was for adult content and the policy is configured to block adult content.

BLOCK_CONTINUE_CONTENT_UNSAFE Transaction blocked and displayed the Warn and Continue page based on the site content ratings settings in the Access Policy group. The client request was for adult content and the policy is configured to give a warning to users accessing adult content.

BLOCK_CONTINUE_CUSTOMCAT Transaction blocked and displayed the Warn and Continue page based on a custom URL category in the Access Policy group configured to “Warn.”

ACL Decision Tag Description



BLOCK_CONTINUE_WEBCAT Transaction blocked and displayed the Warn and Continue page based on a predefined URL category in the Access Policy group configured to “Warn.”

BLOCK_CUSTOMCAT Transaction blocked based on custom URL category filtering settings for the Access Policy group.

BLOCK_ICAP The Web Proxy blocked the request based on the verdict of the external DLP system as defined in the External DLP Policy group.

BLOCK_SEARCH_UNSAFE The client request included an unsafe search query and the Access Policy is configured to enforce safe searches, so the original client request was blocked.

BLOCK_SUSPECT_USER_AGENT Transaction blocked based on the Suspect User Agent setting for the Access Policy group.

BLOCK_UNSUPPORTED_SEARCH_APP Transaction blocked based on the safe search settings for the Access Policy group. The transaction was for an unsupported search engine, and the policy is configured to block unsupported search engines.

BLOCK_WBRS Transaction blocked based on the Web Reputation filter settings for the Access Policy group.

BLOCK_WBRS_IDS The Web Proxy blocked the upload request based on the Web Reputation filter settings for the Data Security Policy group.

BLOCK_WEBCAT Transaction blocked based on URL category filtering settings for the Access Policy group.

BLOCK_WEBCAT_IDS The Web Proxy blocked the upload request based on the URL category filtering settings for the Data Security Policy group.

DECRYPT_ADMIN The Web Proxy decrypted the transaction based on some default settings for the Decryption Policy group.

DECRYPT_ADMIN_EXPIRED_CERT The Web Proxy decrypted the transaction although the server certificate has expired.

DECRYPT_WEBCAT The Web Proxy decrypted the transaction based on URL category filtering settings for the Decryption Policy group.

DECRYPT_WBRS The Web Proxy decrypted the transaction based on the Web Reputation filter settings for the Decryption Policy group.

DEFAULT_CASE The Web Proxy allowed the client to access the server because none of the AsyncOS services, such as Web Reputation or anti-malware scanning, took any action on the transaction.

DROP_ADMIN The Web Proxy dropped the transaction based on some default settings for the Decryption Policy group.

DROP_ADMIN_EXPIRED_CERT The Web Proxy dropped the transaction because the server certificate has expired.

DROP_WEBCAT The Web Proxy dropped the transaction based on URL category filtering settings for the Decryption Policy group.

DROP_WBRS The Web Proxy dropped the transaction based on the Web Reputation filter settings for the Decryption Policy group.




MONITOR_ADMIN_EXPIRED_CERT The Web Proxy monitored the server response because the server certificate has expired.

MONITOR_AMP_RESP The Web Proxy monitored the server response based on the Advanced Malware Protection settings for the Access Policy group.

MONITOR_AMW_RESP The Web Proxy monitored the server response based on the Anti-Malware settings for the Access Policy group.

MONITOR_AMW_RESP_URL The Web Proxy suspects the URL in the HTTP request might not be safe, but it monitored the transaction based on the Anti-Malware settings for the Access Policy group.

MONITOR_AVC The Web Proxy monitored the transaction based on the Application settings for the Access Policy group.

MONITOR_CONTINUE_CONTENT_UNSAFE Originally, the Web Proxy blocked the transaction and displayed the Warn and Continue page based on the site content ratings settings in the Access Policy group. The client request was for adult content and the policy is configured to give a warning to users accessing adult content. The user accepted the warning and continued to the originally requested site, and no other scanning engine subsequently blocked the request.

MONITOR_CONTINUE_CUSTOMCAT Originally, the Web Proxy blocked the transaction and displayed the Warn and Continue page based on a custom URL category in the Access Policy group configured to “Warn.” The user accepted the warning and continued to the originally requested site, and no other scanning engine subsequently blocked the request.

MONITOR_CONTINUE_WEBCAT Originally, the Web Proxy blocked the transaction and displayed the Warn and Continue page based on a predefined URL category in the Access Policy group configured to “Warn.” The user accepted the warning and continued to the originally requested site, and no other scanning engine subsequently blocked the request.

MONITOR_IDS The Web Proxy scanned the upload request using either a Data Security Policy or an External DLP Policy, but did not block the request. It evaluated the request against the Access Policies.

MONITOR_SUSPECT_USER_AGENT The Web Proxy monitored the transaction based on the Suspect User Agent setting for the Access Policy group.

MONITOR_WBRS The Web Proxy monitored the transaction based on the Web Reputation filter settings for the Access Policy group.

NO_AUTHORIZATION The Web Proxy did not allow the user access to the application because the user was already authenticated against an authentication realm, but not against any authentication realm configured in the Application Authentication Policy.

NO_PASSWORD The user failed authentication.

PASSTHRU_ADMIN The Web Proxy passed through the transaction based on some default settings for the Decryption Policy group.




Interpreting Access Log Scanning Verdict EntriesThe access log file entries aggregate and display the results of the various scanning engines, such as URL filtering, Web Reputation filtering, and anti-malware scanning. The appliance displays this information in angled brackets at the end of each access log entry.

The following text is the scanning verdict information from an access log file entry. In this example, the Webroot scanning engine found the malware:

Note For an example of a whole access log file entry, see Web Proxy Information in Access Log Files, page 21-13.

Each element in this example corresponds to a log-file format specifier as shown in the following table:

PASSTHRU_ADMIN_EXPIRED_CERT The Web Proxy passed through the transaction although the server certificate has expired.

PASSTHRU_WEBCAT The Web Proxy passed through the transaction based on URL category filtering settings for the Decryption Policy group.

PASSTHRU_WBRS The Web Proxy passed through the transaction based on the Web Reputation filter settings for the Decryption Policy group.

REDIRECT_CUSTOMCAT The Web Proxy redirected the transaction to a different URL based on a custom URL category in the Access Policy group configured to “Redirect.”

SAAS_AUTH The Web Proxy allowed the user access to the application because the user was authenticated transparently against the authentication realm configured in the Application Authentication Policy.

OTHER The Web Proxy did not complete the request due to an error, such as an authorization failure, server disconnect, or an abort from the client.


<IW_infr,ns,24,"Trojan-Phisher-Gamec",0,354385,12559,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_infr,-,"Trojan Phisher","-","Unknown","Unknown","-","-",489.73,0,-,[Local],"-",37,"W32.CiscoTestVector",33,0,"WSA-INFECTED-FILE.pdf","fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e”>

Position Field Value Format Specifier Description

1 IW_infr %XC The custom URL category assigned to the transaction, abbreviated. This field shows “nc” when no category is assigned.

2 ns %XW Web Reputation filters score. This field either shows the score as a number, “ns” for no score, or “dns” when there is a DNS lookup error.

3 24 %Xv The malware scanning verdict Webroot passed to the DVS engine. Applies to responses detected by Webroot only.

For more information, see Malware Scanning Verdict Values, page 21-40.



4 “Trojan-Phisher-Gamec” “%Xn” Name of the spyware that is associated with the object. Applies to responses detected by Webroot only.

5 0 %Xt The Webroot specific value associated with the Threat Risk Ratio (TRR) value that determines the probability that malware exists. Applies to responses detected by Webroot only.

6 354385 %Xs A value that Webroot uses as a threat identifier. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by Webroot only.

7 12559 %Xi A value that Webroot uses as a trace identifier. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by Webroot only.

8 - %Xd The malware scanning verdict McAfee passed to the DVS engine. Applies to responses detected by McAfee only.


9 “-” “%Xe” The name of the file McAfee scanned. Applies to responses detected by McAfee only.

10 - %Xf A value that McAfee uses as a scan error. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by McAfee only.

11 - %Xg A value that McAfee uses as a detection type. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by McAfee only.

12 - %Xh A value that McAfee uses as a virus type. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by McAfee only.

13 “-” “%Xj” The name of the virus that McAfee scanned. Applies to responses detected by McAfee only.

14 - %XY The malware scanning verdict Sophos passed to the DVS engine. Applies to responses detected by Sophos only.


15 - %Xx A value that Sophos uses as a scan return code. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by Sophos only.

16 “-” “%Xy” The name of the file in which Sophos found the objectionable content. Applies to responses detected by Sophos only.

17 “-” “%Xz” A value that Sophos uses as the threat name. Cisco Customer Support may use this value when troubleshooting an issue. Applies to responses detected by Sophos only.




18 - %Xl The Cisco Data Security scan verdict based on the action in the Content column of the Cisco Data Security Policy. The following list describes the possible values for this field:

• 0. Allow

• 1. Block

• - (hyphen). No scanning was initiated by the Cisco Data Security Filters. This value appears when the Cisco Data Security Filters are disabled, or when the URL category action is set to Allow.

19 - %Xp The External DLP scan verdict based on the result given in the ICAP response. The following list describes the possible values for this field:

• 0. Allow

• 1. Block

• - (hyphen). No scanning was initiated by the external DLP server. This value appears when External DLP scanning is disabled, or when the content was not scanned due to an exempt URL category on the External DLP Policies > Destinations page.

20 IW_infr %XQ The predefined URL category verdict determined during request-side scanning, abbreviated. This field lists a hyphen ( - ) when URL filtering is disabled.

For a list of URL category abbreviations, see URL Category Descriptions, page 9-25.

21 - %XA The URL category verdict determined by the Dynamic Content Analysis engine during response-side scanning, abbreviated. Applies to the Cisco Web Usage Controls URL filtering engine only. Only applies when the Dynamic Content Analysis engine is enabled and when no category is assigned at request time (a value of “nc” is listed in the request-side scanning verdict).

For a list of URL category abbreviations, see URL Category Descriptions, page 9-25.

22 “Trojan Phisher” “%XZ” Unified response-side anti-malware scanning verdict that provides the malware category independent of which scanning engines are enabled. Applies to transactions blocked or monitored due to server response scanning.

23 “-” “%Xk” The threat type returned by the Web Reputation filters which resulted in the target website receiving a poor reputation. Typically, this field is populated for sites at reputation of -4 and below.

24 “Unknown” “%XO” The application name as returned by the AVC engine, if applicable. Only applies when the AVC engine is enabled.

25 “Unknown” “%Xu” The application type as returned by the AVC engine, if applicable. Only applies when the AVC engine is enabled.

26 “-” “%Xb” The application behavior as returned by the AVC engine, if applicable. Only applies when the AVC engine is enabled.




27 “-” “%XS” Safe browsing scanning verdict. This value indicates whether either the safe search or the site content ratings feature was applied to the transaction.

For a list of the possible values, see Logging Adult Content Access, page 9-18.

28 489.73 %XB The average bandwidth consumed serving the request, in Kb/sec.

29 0 %XT A value that indicates whether the request was throttled due to bandwidth limit control settings, where “1” indicates the request was throttled, and “0” indicates it was not.

30 [Local] %l The type of user making the request, either “[Local]” or “[Remote].” Only applies when AnyConnect Secure Mobility is enabled. When it is not enabled, the value is a hyphen (-).

31 “-” “%X3” Unified request-side anti-malware scanning verdict independent of which scanning engines are enabled. Applies to transactions blocked or monitored due to client request scanning when an Outbound Malware Scanning Policy applies.

32 “-” “%X4” The threat name assigned to the client request that was blocked or monitored due to an applicable Outbound Malware Scanning Policy.

This threat name is independent of which anti-malware scanning engines are enabled.

33 37 %X#1# Verdict from Advanced Malware Protection file scanning:

• 0: File is not malicious

• 1: File was not scanned because of its file type

• 2: File scan timed out

• 3: Scan error

• Greater than 3: File is malicious

34 "W32.CiscoTestVector" %X#2# Threat name, as determined by Advanced Malware Protection file scanning; "-" indicates no threat.

35 33 %X#3# Reputation score from Advanced Malware Protection file scanning. This score is used only if the cloud reputation service is unable to determine a clear verdict for the file.

For details, see information about the Threat Score and the reputation threshold in Chapter 14, “Overview of File Reputation Filtering and File Analysis.”

36 0 %X#4# Indicator of upload and analysis request:

“0” indicates that Advanced Malware Protection did not request upload of the file for analysis.

“1” indicates that Advanced Malware Protection did request upload of the file for analysis.



Chapter 21 Monitor System Activity Through Logs W3C Compliant Access Log Files

Refer to Log File Fields and Tags, page 21-30 for a description of each format specifier’s function.

Related Topics

• Web Proxy Information in Access Log Files, page 21-13


• W3C Compliant Access Log Files, page 21-24


• Log File Fields and Tags, page 21-30

W3C Compliant Access Log FilesThe Web Security appliance provides two different log types for recording Web Proxy transaction information: access logs and W3C-formatted access logs. The W3C access logs are World Wide Web Consortium (W3C) compliant, and record transaction history in the W3C Extended Log File (ELF) Format.

• W3C Field Types, page 21-24

• Interpreting W3C Access Logs, page 21-24

W3C Field TypesWhen defining a W3C access log subscription, you must choose which log fields to include, such as the ACL decision tag or the client IP address. You can include one of the following types of log fields:

• Predefined. The web interface includes a list of fields from which you can choose.

• User defined. You can type a log field that is not included in the predefined list.

Interpreting W3C Access LogsConsider the following rules and guidelines when interpreting W3C access logs:

• Administrators decide what data is recorded in each W3C access log subscription; therefore, W3C access logs have no set field format.

• W3C logs are self-describing. The file format (list of fields) is defined in a header at the start of each log file.

• Fields in the W3C access logs are separated by a white space.

• If a field contains no data for a particular entry, a hyphen ( - ) is included in the log file instead.

37 "WSA-INFECTED-FILE.pdf"

%X#5# The name of the file being downloaded and analyzed.

38 "fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e

%X#6# The SHA-256 identifier for this file.



Chapter 21 Monitor System Activity Through Logs W3C Compliant Access Log Files

• Each line in the W3C access log file relates to one transaction, and each line is terminated by a LF sequence.

• W3C Log File Headers, page 21-25

• W3C Field Prefixes, page 21-25

W3C Log File Headers

Each W3C log file contains header text at the beginning of the file. Each line starts with the # character and provides information about the Web Security appliance that created the log file. The W3C log file headers also include the file format (list of fields), making the log file self-describing.

The following table describes the header fields listed at the beginning of each W3C log file.

Example W3C log file:

W3C Field Prefixes

Most W3C log field names include a prefix that identifies from which header a value comes, such as the client or server. Log fields without a prefix reference values that are independent of the computers involved in the transaction. The following table describes the W3C log fields prefixes.

Header Field Description

Version The version of the W3C ELF format used.

Date The date and time at which the header (and log file) was created.

System The Web Security appliance that generated the log file in the format “Management_IP - Management_hostname.”

Software The Software which generated these logs

Fields The fields recorded in the log

#Version: 1.0

#Date: 2009-06-15 13:55:20

#System: 10.1.1.1 - wsa.qa

#Software: AsyncOS for Web 6.3.0

#Fields: timestamp x-elapsed-time c-ip x-resultcode-httpstatus sc-bytes cs-method cs-url cs-username x-hierarchy-origin cs-mime-type x-acltag x-result-code

x-suspect-user-agent

Prefix Header Description

c Client

s Server

cs Client to server

sc Server to client

x Application specific identifier.


Chapter 21 Monitor System Activity Through Logs Customizing Access Logs

For example, the W3C log field “cs-method” refers to the method in the request sent by the client to the server, and “c-ip” refers to the client’s IP address.

Related Topics



• Traffic Monitor Log Files, page 21-29.


• Viewing Log Files, page 21-13.

Customizing Access LogsYou can customize regular and W3C access logs to include many different fields to capture comprehensive information about web traffic within the network using predefined fields or user defined fields.

Related Topics

• For a list of predefined fields, see Log File Fields and Tags, page 21-30.

• For information on user defined fields, see Access Log User Defined Fields, page 21-26.

Access Log User Defined FieldsIf the list of predefined Access log and W3C log fields does not include all header information you want to log from HTTP/HTTPS transactions, you can type a user-defined log field in the Custom Fields text box when you configure the access and W3C log subscriptions.

Custom log fields can be any data from any header sent from the client or the server. If a request or response does not include the header added to the log subscription, the log file includes a hyphen as the log field value.

The following table defines the syntax to use for access and W3C logs:

For example, if you want to log the If-Modified-Since header value in client requests, enter the following text in the Custom Fields box for a W3C log subscription:

cs(If-Modified-Since)

Related Topics

• Customizing Regular Access Logs, page 21-27.

• Customizing W3C Access Logs, page 21-27.

Header TypeAccess Log Format Specifier Syntax W3C Log Custom Field Syntax

Header from the client application %<ClientHeaderName: cs(ClientHeaderName)

Header from the server %<ServerHeaderName: sc(ServerHeaderName)



Customizing Regular Access Logs


Step 2 Click the access log file name to edit the access log subscription.

Step 3 Enter the required format specifiers in the Custom Field.

The syntax for entering format specifiers in the Custom Field is as follows:

<format_specifier_1> <format_specifier_2> ...

For example: %a %b %E

You can add tokens before the format specifiers to display descriptive text in the access log file. For example:

client_IP %a body_bytes %b error_type %E

where client_IP is the description token for log format specifier %a, and so on.

Note You can create a custom field for any header in a client request or a server response.


Related Topics



• Access Log User Defined Fields, page 21-26.

Customizing W3C Access Logs

Step 1 Choose System Administration > Log Subscriptions

Step 2 Click the W3C log file name to edit the W3C log subscription.

Step 3 Type a field in the Custom Field box, and click Add.

The order the fields appear in the Selected Log Fields list determines the order of fields in the W3C access log file. You can change the order of fields using the Move Up and Move Down buttons. You can remove a field by selecting it in the Selected Log Fields list and clicking Remove.

You can enter multiple user defined fields in the Custom Fields box and add them simultaneously as long as each entry is separated by a new line (click Enter) before clicking Add.

When you change the log fields included in a W3C log subscription, the log subscription automatically rolls over. This allows the latest version of the log file to include the correct new field headers.

Note You can create a custom field for any header in a client request or a server response.




Related Topics

• W3C Compliant Access Log Files, page 21-24.


• Access Log User Defined Fields, page 21-26.

• Configuring CTA-specific Custom W3C Logs, page 21-28.

Configuring CTA-specific Custom W3C Logs

You can configure the WSA to “push” Cognitive Threat Analytics (CTA)-specific custom W3C access logs to Cisco’s Cloud Web Security service for analysis and reporting. Cisco ScanCenter is the administration portal into Cloud Web Security (CWS).

Before You Begin

• Create a device account in Cisco ScanCenter for your WSA, selecting SCP as the automatic upload protocol (see the “Proxy Device Uploads” section of the Cisco ScanCenter Administrator Guide for more information). Note the SCP (Secure Copy Protocol) host name and the generated user name for your WSA (case sensitive, different for each device).

Step 1 Follow the instructions in Customizing W3C Access Logs, page 21-27 to add a new W3C access log subscription, choosing W3C Logs as the Log Type.

Step 2 Provide a descriptive Log Name.

Step 3 Delete any entries in the Selected Log Fields list (select all and click Remove).

Step 4 Add the following fields to the Selected Log Fields list:

a. Copy and paste the following into the Custom Fields box and then click Add.

timestampx-elapsed-timec-ipcs-usernamec-ports-ips-portcs-urlcs-bytessc-bytescs(User-Agent)cs-mime-typecs-methodsc-http-statuscs(Referer)sc(Location)x-amp-shax-amp-verdictx-amp-malware-namex-amp-score

Step 5 Provide a Rollover by File Size; in this case, 500M is recommended.

Step 6 Choose a Rollover by Time option.


Chapter 21 Monitor System Activity Through Logs Traffic Monitor Log Files

We recommend a Custom Time Interval, with a Rollover every: time interval based on these guidelines:

Step 7 For the Retrieval Method, select SCP on Remote Server and enter the CTA server information from your CWS account.

a. In the SCP Host field, enter the SCP host provided in Cisco ScanCenter; for example, etr.cloudsec.sco.cisco.com.

b. In the SCP Port field, enter 22.

c. In the Directory field, enter /upload.

d. In the Username field, enter the user name generated for your device in Cisco ScanCenter. The device user name is case sensitive and different for each proxy device.

e. Check Enable Host Key Checking, and select Automatically Scan.

Step 8 Click Submit on the WSA.

A public SSH key is generated by the WSA and displayed in the Management Console.

Step 9 Copy the public SSH key generated by the WSA to the Clipboard.

Step 10 Switch to the Cisco ScanCenter portal, select the appropriate device account and then paste the public SSH key into the CTA Device Provisioning page. (See the “Proxy Device Uploads” section of the Cisco ScanCenter Administrator Guide for additional information.)

Successful authentication between your proxy device and CTA system will allow log files from your proxy device to be uploaded to the CTA system for analysis.

Cisco’s ScanCenter is the administration portal to Cisco Cloud Web Security. See http://www.cisco.com/c/en/us/support/security/cloud-web-security/products-installation-and-configuration-guides-list.html.

Step 11 Switch back to the WSA, and click Commit Changes.

Note The WSA restarts when committing configuration changes, so connected users may be temporarily disconnected.

Traffic Monitor Log FilesLayer-4 Traffic Monitor log files provides a detailed record of Layer-4 monitoring activity. You can view Layer-4 Traffic Monitor log file entries to track updates to firewall block lists and firewall allow lists.

Interpreting Traffic Monitor LogsUse the examples below to interpret the various entry types contains in Traffic Monitor Logs.

Number of Users Behind Proxy Recommended Rollover Period

Unknown or less than 2000 55 minutes

2000 to 4000 30 minutes

4000 to 6000 20 minutes

More than 6000 10 minutes

http://www.cisco.com/c/en/us/support/security/cloud-web-security/products-installation-and-configuration-guides-list.html

http://www.cisco.com/c/en/us/support/security/cloud-web-security/products-installation-and-configuration-guides-list.html


Chapter 21 Monitor System Activity Through Logs Log File Fields and Tags

Example 1172.xx.xx.xx discovered for blocksite.net (blocksite.net) added to firewall block list.

In this example, where a match becomes a block list firewall entry. The Layer-4 Traffic Monitor matched an IP address to a domain name in the block list based on a DNS request which passed through the appliance. The IP address is then entered into the block list for the firewall.

Example 2172.xx.xx.xx discovered for www.allowsite.com (www.allowsite.com) added to firewall allow list.

In this example, a match becomes an allow list firewall entry. The Layer-4 Traffic Monitor matched a domain name entry and added it to the appliance allow list. The IP address is then entered into the allow list for the firewall.

Example 3Firewall noted data from 172.xx.xx.xx to 209.xx.xx.xx (allowsite.net):80.

In this example, the Layer-4 Traffic Monitor logs a record of data that passed between an internal IP address and an external IP address which is on the block list. Also, the Layer-4 Traffic Monitor is set to monitor, not block.

Related Topics


Log File Fields and Tags• Access Log Format Specifiers and W3C Log File Fields, page 21-30

• Transaction Result Codes, page 21-16

• ACL Decision Tags, page 21-16

• Malware Scanning Verdict Values, page 21-40

Access Log Format Specifiers and W3C Log File FieldsLog files use variables to represent the individual items of information that make up each log file entry. These variables are called format specifiers in Access logs and log fields in W3C logs and each format specifier has a corresponding log field.

To configure Access Logs to display these values, see Customizing Access Logs, page 21-26 and information about custom fields in Adding and Editing Log Subscriptions, page 21-7.



The following table describes these variables:

Format Specifier in Access Logs Log Field in W3C Logs Description

%:<1 x-p2s-first-byte-time The time it takes from the moment the Web Proxy starts connecting to the server to the time it is first able to write to the server. If the Web Proxy has to connect to several servers to complete the transaction, it is the sum of those times.

%:<a x-p2p-auth-wait-time Wait-time to receive the response from the Web Proxy authentication process, after the Web Proxy sent the request.

%:<b x-p2s-body-time Wait-time to write request body to server after header.

%:<d x-p2p-dns-wait-time Time taken by the Web Proxy to send the DNS request to the Web Proxy DNS process.

%:<h x-p2s-header-time Wait-time to write request header to server after first byte.

%:<r x-p2p-reputation-wait-time Wait-time to receive the response from the Web Reputation Filters, after the Web Proxy sent the request.

%:<s x-p2p-asw-req-wait-time Wait-time to receive the verdict from the Web Proxy anti-spyware process, after the Web Proxy sent the request.

%:>1 x-s2p-first-byte-time Wait-time for first response byte from server

%:>a x-p2p-auth-svc-time Wait-time to receive the response from the Web Proxy authentication process, including the time required for the Web Proxy to send the request.

%:>b x-s2p-body-time Wait-time for complete response body after header received

%:>c x-p2p-fetch-time Time required for the Web Proxy to read a response from the disk cache.

%:>d x-p2p-dns-svc-time Time taken by the Web Proxy DNS process to send back a DNS result to the Web Proxy.

%:>h x-s2p-header-time Wait-time for server header after first response byte

%:>r x-p2p-reputation-svc-time Wait-time to receive the verdict from the Web Reputation Filters, including the time required for the Web Proxy to send the request.

%:>s x-p2p-asw-req-svc-time Wait-time to receive the verdict from the Web Proxy anti-spyware process, including the time required for the Web Proxy to send the request.

%:1< x-c2p-first-byte-time Wait-time for first request byte from new client connection.

%:1> x-p2c-first-byte-time Wait-time for first byte written to client.

%:A< x-p2p-avc-svc-time Wait-time to receive the response from the AVC process, including the time required for the Web Proxy to send the request.



%:A> x-p2p-avc-wait-time Wait-time to receive the response from the AVC process, after the Web Proxy sent the request.

%:b< x-c2p-body-time Wait-time for complete client body.

%:b> x-p2c-body-time Wait-time for complete body written to client.

%:C< x-p2p-dca-resp-svc-time Wait-time to receive the verdict from the Dynamic Content Analysis engine, including the time required for the Web Proxy to send the request.

%:C> x-p2p-dca-resp-wait-time Wait-time to receive the response from the Dynamic Content Analysis engine, after the Web Proxy sent the request.

%:h< x-c2p-header-time Wait-time for complete client header after first byte

%:h> x-s2p-header-time Wait-time for complete header written to client

%:m< x-p2p-mcafee-resp-svc-time

Wait-time to receive the verdict from the McAfee scanning engine, including the time required for the Web Proxy to send the request.

%:m> x-p2p-mcafee-resp-wait-time

Wait-time to receive the response from the McAfee scanning engine, after the Web Proxy sent the request.

%:p< x-p2p-sophos-resp-svc-time

Wait-time to receive the verdict from the Sophos scanning engine, including the time required for the Web Proxy to send the request.

%:p> x-p2p-sophos-resp-wait-time

Wait-time to receive the response from the Sophos scanning engine, after the Web Proxy sent the request.

%:w< x-p2p-webroot-resp-svc-time

Wait-time to receive the verdict from the Webroot scanning engine, including the time required for the Web Proxy to send the request.

%:w> x-p2p-webroot-resp-wait-time

Wait-time to receive the response from the Webroot scanning engine, after the Web Proxy sent the request.

%?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%.

x-suspect-user-agent Suspect user agent, if applicable. If the Web Proxy determines the user agent is suspect, it will log the user agent in this field. Otherwise, it logs a hyphen. This field is written with double-quotes in the access logs.

%<Referer: cs(Referer) Referer

%>Server: sc(Server) Server header in the response.

%a c-ip Client IP Address.

%A cs-username Authenticated user name. This field is written with double-quotes in the access logs.

%b sc-body-size Bytes sent to the client from the Web Proxy for the body content.

%B bytes Total bytes used (request size + response size, which is %q + %s).




%c cs-mime-type Response body MIME type. This field is written with double-quotes in the access logs.

%C cs(Cookie) Cookie header. This field is written with double-quotes in the access logs.

%d s-hostname Data source or server IP address.

%D x-acltag ACL decision tag.

%e x-elapsed-time Elapsed time in milliseconds.

For TCP traffic, this is the time elapsed between the opening and closing of the HTTP connection.

For UDP traffic, this is the time elapsed between the sending of the first datagram and the time at which the last datagram can be accepted. A large elapsed time value for UDP traffic may indicate that a large timeout value and a long-lived UDP association allowed datagrams to be accepted longer than necessary.

%E x-error-code Error code number that may help Customer Support troubleshoot the reason for a failed transaction.(

%f cs(X-Forwarded-For) X-Forwarded-For header.

%F c-port Client source port

%g cs-auth-group Authorized group names. This field is written with double-quotes in the access logs.

This field is used for troubleshooting policy/authentication issues to determine whether a user is matching the correct group or policy.

%h sc-http-status HTTP response code.

%H s-hierarchy Hierarchy retrieval.

%i x-icap-server IP address of the last ICAP server contacted while processing the request.

%I x-transaction-id Transaction ID.




%j DCF Do not cache response code; DCF flags.

Response code descriptions:

• Response code based on client request:

– 1 = Request had “no-cache” header.

– 2 = Caching is not authorized for the request.

– 4 = Request is missing the 'Variant' header.

– 8 = Username or passphrase needed for user request.

– 20 = Response for specified HTTP method.

• Response code based on response received by the appliance:

– 40 = Response contains “Cache-Control: private” header.

– 80 = Response contains “Cache-Control: no-store” header.

– 100 = Response indicates that request was a query.

– 200 = Response has a small “Expires” value (expires soon).

– 400 = Response does not have “Last Modified” header.

– 1000 = Response expires immediately.

– 2000 = Response file is too big to cache.

– 20000 = New copy of file exists.

– 40000 = Response has bad/invalid values in “Vary” header.

– 80000 = Response requires setting of cookies.

– 100000 = Non-cacheable HTTP STATUS Code.

– 200000 = Object received by appliance was incomplete (based on size).

– 800000 = Response trailers indicate no caching.

– 1000000 = Response requires re-write.

%k s-ip Data source IP address (server IP address)

This value is used to determine a requestor when the IP address is flagged by an intrusion detection device on your network. Allows you to locate a client that visited an IP address that has been so flagged.

%l user-type Type of user, either local or remote.




%L x-local_time Request local time in human-readable format: DD/MMM/YYYY : hh:mm:ss +nnnn. This field is written with double-quotes in the access logs.

Enabling this field allows you to correlate logs to issues without having to calculate local time from epoch time for each log entry.

%m cs-auth-mechanism Used to troubleshoot authentication issues.

The authentication mechanism used on the transaction. Possible values are:

• BASIC. The user name was authenticated using the Basic authentication scheme.

• NTLMSSP. The user name was authenticated using the NTLMSSP authentication scheme.

• Kerberos. The user name was authenticated using the Kerberos authentication scheme.

• SSO_TUI. The user name was obtained by matching the client IP address to an authenticated user name using transparent user identification.

• SSO_ISE. The user was authenticated by an ISE server. (Log shows GUEST if that is chosen as the fall-back mechanism for ISE authentication.)

• SSO_ASA. The user is a remote user and the user name was obtained from a Cisco ASA using the Secure Mobility.

• FORM_AUTH. The user entered authentication credentials in a form in the web browser when accessing a application.

• GUEST. The user failed authentication and instead was granted guest access.

%M CMF Cache miss flags: CMF flags.

%N s-computerName Server name or destination hostname. This field is written with double-quotes in the access logs.

%p s-port Destination port number.

%P cs-version Protocol.

%q cs-bytes Request size (headers + body).

%r x-req-first-line Request first line - request method, URI.

%s sc-bytes Response size (header + body).




%t timestamp Timestamp in UNIX epoch.

Note: If you want to use a third party log analyzer tool to read and parse the W3C access logs, you might need to include the “timestamp” field. Most log analyzers only understand time in the format provided by this field.

%u cs(User-Agent) User agent. This field is written with double-quotes in the access logs.

This field helps determine if an application is failing authentication and/or requires different access permissions.

%U cs-uri Request URI.

%v date Date in YYYY-MM-DD.

%V time Time in HH:MM:SS.

%w sc-result-code Result code. For example: TCP_MISS, TCP_HIT.

%W sc-result-code-denial Result code denial.

%x x-latency Latency.

%X0 x-resp-dvs-scanverdict Unified response-side anti-malware scanning verdict that provides the malware category number independent of which scanning engines are enabled. Applies to transactions blocked or monitored due to server response scanning.

This field is written with double-quotes in the access logs.

%X1 x-resp-dvs-threat-name Unified response-side anti-malware scanning verdict that provides the malware threat name independent of which scanning engines are enabled. Applies to transactions blocked or monitored due to server response scanning.


%X2 x-req-dvs-scanverdict Request side DVS Scan verdict

%X3 x-req-dvs-verdictname Request side DVS verdict name

%X4 x-req-dvs-threat-name Request side DVS threat name

%X6 x-as-malware-threat-name Indicates whether Adaptive Scanning blocked the transaction without invoke any anti-malware scanning engine. The possible values are:

• 1. Transaction was blocked.

• 0. Transaction was not blocked.

This variable is included in the scanning verdict information (in the angled brackets at the end of each access log entry).




%XA x-webcat-resp-code-abbr The URL category verdict determined during response-side scanning, abbreviated. Applies to the Cisco Web Usage Controls URL filtering engine only.

%Xb x-avc-behavior The web application behavior identified by the AVC engine.

%XB x-avg-bw Average bandwidth of the user if bandwidth limits are defined by the AVC engine.

%XC x-webcat-code-abbr URL category abbreviation for the custom URL category assigned to the transaction.

%Xd x-mcafee-scanverdict McAfee specific identifier: (scan verdict).

%Xe x-mcafee-filename McAfee specific identifier: (File name yielding verdict) This field is written with double-quotes in the access logs.

%Xf x-mcafee-av-scanerror McAfee specific identifier: (scan error).

%XF x-webcat-code-full Full name of the URL category assigned to the transaction. This field is written with double-quotes in the access logs.

%Xg x-mcafee-av-detecttype McAfee specific identifier: (detect type).

%XG x-avc-reqhead-scanverdict AVC request header verdict.

%Xh x-mcafee-av-virustype McAfee specific identifier: (virus type).

%XH x-avc-reqbody-scanverdict

AVC request body verdict.

%Xi x-webroot-trace-id Webroot specific scan identifier: (Trace ID)

%Xj x-mcafee-virus-name McAfee specific identifier: (virus name). This field is written with double-quotes in the access logs.

%Xk x-wbrs-threat-type Web reputation threat type.

%XK x-wbrs-threat-reason Web reputation threat reason.

%Xl x-ids-verdict Cisco Data Security Policy scanning verdict. If this field is included, it will display the IDS verdict, or “0” if IDS was active but the document scanned clean, or “-” if no IDS policy was active for the request.

%XL x-webcat-resp-code-full The URL category verdict determined during response-side scanning, full name.Applies to the Cisco Web Usage Controls URL filtering engine only.

%XM x-avc-resphead-scanverdict AVC response header verdict.

%Xn x-webroot-threat-name Webroot specific identifier: (Threat name) This field is written with double-quotes in the access logs.

%XN x-avc-reqbody-scanverdict AVC response body verdict.

%XO x-avc-app The web application identified by the AVC engine.

%Xp x-icap-verdict External DLP server scanning verdict.




%XP x-acl-added-headers Unrecognized header. Use this field to log extra headers in client requests. This supports troubleshooting of specialized systems that add headers to client requests as a way of authenticating and redirecting those requests, for example, YouTube for Schools.

%XQ x-webcat-req-code-abbr The predefined URL category verdict determined during request-side scanning, abbreviated.

%Xr x-result-code Scanning verdict information.

%XR x-webcat-req-code-full The URL category verdict determined during request-side scanning, full name.

%Xs x-webroot-spyid Webroot specific identifier: (Spy ID).

%XS x-request-rewrite Safe browsing scanning verdict.

Indicates whether either the safe search or site content ratings feature was applied to the transaction.

%Xt x-webroot-trr Webroot specific identifier: (Threat Risk Ratio [TRR]).

%XT x-bw-throttled Flag that indicates whether bandwidth limits were applied to the transaction.

%Xu x-avc-type The web application type identified by the AVC engine.

%Xv x-webroot-scanverdict Malware scanning verdict from Webroot.

%XV x-request-source-ip The downstream IP address when the “Enable Identification of Client IP Addresses using X-Forwarded-For” checkbox is enabled for the Web Proxy settings.

%XW x-wbrs-score Decoded WBRS score <-10.0-10.0>.

%Xx x-sophos-scanerror Sophos specific identifier: (scan return code).

%Xy x-sophos-file-name The name of the file in which Sophos found the objectionable content. Applies to responses detected by Sophos only.

%XY x-sophos-scanverdict Sophos specific identifier: (scan verdict).

%Xz x-sophos-virus-name Sophos specific identifier: (threat name).

%XZ x-resp-dvs-verdictname Unified response-side anti-malware scanning verdict that provides the malware category independent of which scanning engines are enabled. Applies to transactions blocked or monitored due to server response scanning.





Related Topics



%X#1# x-amp-verdict Verdict from Advanced Malware Protection file scanning:

• 0: File is not malicious.

• 1: File was not scanned because of its file type.

• 2: File scan timed out.

• 3: Scan error.

• Greater than 3: File is malicious.

%X#2# x-amp-malware-name Threat name, as determined by Advanced Malware Protection file scanning. “-” indicates no threat.

%X#3# x-amp-score Reputation score from Advanced Malware Protection file scanning.

This score is used only if the cloud reputation service is unable to determine a clear verdict for the file.

For details, see information about the Threat Score and the reputation threshold in Chapter 14, “Overview of File Reputation Filtering and File Analysis.”

%X#4# x-amp-upload Indicator of upload and analysis request:

“0” indicates that Advanced Malware Protection did not request upload of the file for analysis.

“1” indicates that Advanced Malware Protection did request upload of the file for analysis.

%X#5# x-amp-filename The name of the file being downloaded and analyzed.

%X#6# x-amp-sha The SHA-256 identifier for this file.

%y cs-method Method.

%Y cs-url The entire URL.

N/A x-hierarchy-origin Code that describes which server was contacted for the retrieving the request content (for example, DIRECT/www.example.com).

N/A x-resultcode-httpstatus Result code and the HTTP response code, with a slash (/) in between.




Malware Scanning Verdict ValuesA malware scanning verdict is a value assigned to a URL request or server response that determines the probability that it contains malware. The Webroot, McAfee, and Sophos scanning engines return the malware scanning verdict to the DVS engine so the DVS engine can determine whether to monitor or block the scanned object. Each malware scanning verdict corresponds to a malware category listed on the Access Policies > Reputation and Anti-Malware Settings page when you edit the anti-malware settings for a particular Access Policy.

The following list presents the different Malware Scanning Verdict Values and each corresponding malware category:

Related Topics



Malware Scanning Verdict Value Malware Category

- Not Set

0 Unknown

1 Not Scanned

2 Timeout

3 Error

4 Unscannable

10 Generic Spyware

12 Browser Helper Object

13 Adware

14 System Monitor

18 Commercial System Monitor

19 Dialer

20 Hijacker

21 Phishing URL

22 Trojan Downloader

23 Trojan Horse

24 Trojan Phisher

25 Worm

26 Encrypted File

27 Virus

33 Other Malware

34 PUA

35 Aborted

36 Outbreak Heuristics

37 Known Malicious and High-Risk Files


Chapter 21 Monitor System Activity Through Logs Troubleshooting Logging

Troubleshooting Logging• Custom URL Categories Not Appearing in Access Log Entries, page A-13

• Logging HTTPS Transactions, page A-13

• Alert: Unable to Maintain the Rate of Data Being Generated, page A-14

• Problem Using Third-Party Log-Analyzer Tool with W3C Access Logs, page A-14


Chapter 21 Monitor System Activity Through Logs Troubleshooting Logging

C H A P T E R


22Perform System Administration Tasks

• Overview of System Administration, page 22-1

• Saving, Loading, and Resetting the Appliance Configuration, page 22-2

• Working with Feature Keys, page 22-3

• Virtual Appliance License, page 22-4

• Enabling Remote Power Cycling, page 22-5

• Administering User Accounts, page 22-6

• Defining User Preferences, page 22-10

• Configuring Administrator Settings, page 22-11

• Configuring the Return Address for Generated Messages, page 22-14


• FIPS Compliance, page 22-21

• SSL Configuration, page 22-23

• System Date and Time Management, page 22-22

• Certificate Management, page 22-25

• AsyncOS for Web Upgrades and Updates, page 22-28

• Reverting to a Previous Version of AsyncOS for Web, page 22-33

• Monitoring System Health and Status Using SNMP, page 22-35

Overview of System AdministrationThe S-Series appliance provides a variety of tools for managing the system. Functionality on System Administration tab helps you manage the following tasks:

• Appliance configuration

• Feature keys

• Adding, editing, and removing user accounts

• AsyncOS software upgrades and updates

• System time


Chapter 22 Perform System Administration Tasks Saving, Loading, and Resetting the Appliance Configuration

Saving, Loading, and Resetting the Appliance ConfigurationAll configuration settings within the Web Security appliance are managed using a single XML configuration file.

• Viewing and Printing the Appliance Configuration, page 22-2

• Saving the Appliance Configuration File, page 22-2

• Loading the Appliance Configuration File, page 22-3

• Resetting the Appliance Configuration to Factory Defaults, page 22-3

Viewing and Printing the Appliance Configuration

Step 1 Choose System Administration > Configuration Summary.

Step 2 View or print the Configuration Summary page as required.

Saving the Appliance Configuration File

Step 1 Choose System Administration > Configuration File.

Step 2 Complete the Configuration File options.


Option Description

Choose from these location options:

• Download file to local computer to view or save

• Save file to this appliance (example.com)

• Email file to

Allows you to choose where to save the file to

Mask passphrases in the Configuration Files If enabled, causes the original, encrypted passphrase to be replaced with “*****” in the exported or saved file. Please note, however, that configuration files with masked passphrases cannot be loaded directly back into AsyncOS for Web.

Choose from these file name options:

• Use system-generated file name

• Use user-defined file name:

Allows you to choose the configuration file naming method.


Chapter 22 Perform System Administration Tasks Working with Feature Keys

Loading the Appliance Configuration File

Caution Loading configuration will permanently remove all of your current configuration settings. It is strongly recommended that you save your configuration before performing these actions.

Note If a compatible configuration file is based on an older version of the set of URL categories than the version currently installed on the appliance, policies and identities in the configuration file may be modified automatically.


Step 2 Choose Load Configuration options and a file to load. Note:

Files with masked passphrases cannot be loaded.

Files must have the following header:

<?xml version=”1.0” encoding=”ISO-8859-1”?> <!DOCTYPE config SYSTEM “config.dtd”>

and a correctly formatted config section:

<config> ... your configuration information in valid XML </config>

Step 3 Click Load.

Step 4 Read the warning displayed. If you understand the consequences of proceeding, click Continue.

Resetting the Appliance Configuration to Factory Defaults You can choose whether or not to retain existing network settings when you reset the appliance configuration.

This action does not require a commit.

Before You Begin

Save your configuration to a location off the appliance.


Step 2 Scroll down to view the Reset Configuration section.

Step 3 Read the information on the page and select options.

Step 4 Click Reset.

Working with Feature KeysFeature keys enable specific functionality on your system.Keys are specific to the serial number of your appliance (you cannot re-use a key from one system on another system).


Chapter 22 Perform System Administration Tasks Virtual Appliance License

• Displaying and Updating Feature Keys, page 22-4

• Changing Feature Key Update Settings, page 22-4

Displaying and Updating Feature Keys

Step 1 Choose System Administration > Feature Keys.

Step 2 To refresh the list of pending keys, click Check for New Keys to refresh the list of pending keys.

Step 3 To add a new feature key manually, paste or type the key into the Feature Key field and click Submit Key. If the feature key is valid, the feature key is added to the display.

Step 4 To activate a new feature key from the Pending Activation list, mark its “Select” checkbox and click Activate Selected Keys.

You can configure your appliance to automatically download and install new keys as they are issued. In this case, the Pending Activation list will always be empty. You can tell AsyncOS to look for new keys at any time by clicking the Check for New Keys button, even if you have disabled the automatic checking via the Feature Key Settings page.

Changing Feature Key Update Settings The Feature Key Settings page is used to control whether your appliance checks for and downloads new feature keys, and whether or not those keys are automatically activated.

Step 1 Choose System Administration > Feature Key Settings.


Step 3 Change the Feature Key Settings as required.


Virtual Appliance LicenseThe Cisco Web Security Virtual appliance requires an additional license to run the virtual appliance on a host.

Option Description

Automatic Serving of Feature Keys

Options to automatically check and download feature keys and to automatically activate downloaded feature keys.

Automatic checks are normally performed once a month but this changes to once a day when a feature key is to expire in less than 10 days and once a day after key expiration, for up to one month. After a month, the expired key is no longer included in the list of expiring/expired keys.


Chapter 22 Perform System Administration Tasks Enabling Remote Power Cycling

For more information about virtual appliance licensing, see the Cisco Content Security Virtual Appliance Installation Guide, available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.

Note You cannot open a Technical Support tunnel before installing the virtual appliance license.

After the license expires, the appliance will continue to serve as a web proxy without security services for180 days. Security service updates do not occur during this period.

You can configure the appliance so you receive alerts about license expiration.

Related Topics


Installing a Virtual Appliance LicenseSee the Cisco Content Security Virtual Appliance Installation Guide, available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.

Enabling Remote Power Cycling The ability to remotely reset the power for the appliance chassis is available only on 80-series hardware.

If you want to be able to remotely reset appliance power, you must enable and configure this functionality in advance, using the procedure described in this section.

Before You Begin

• Cable the dedicated Remote Power Cycle (RPC) port directly to a secure network. For information, see the hardware guide for your appliance model. For the location of this document, see Documentation Set, page C-2.

• Ensure that the appliance is accessible remotely; for example, open any necessary ports through the firewall.

• This feature requires a unique IPv4 address for the dedicated Remote Power Cycle interface. This interface is configurable only via the procedure described in this section; it cannot be configured using the ipconfig command.

• In order to cycle appliance power, you will need a third-party tool that can manage devices that support the Intelligent Platform Management Interface (IPMI) version 2.0. Ensure that you are prepared to use such a tool.

• For more information about accessing the command-line interface, see Appendix B, “Command Line Interface.”

Step 1 Use SSH or the serial console port to access the command-line interface.

Step 2 Sign in using an account with Administrator access.

Step 3 Enter the following commands:






Chapter 22 Perform System Administration Tasks Administering User Accounts

remotepower

setup

Step 4 Follow the prompts to specify the following:

• The dedicated IP address for this feature, plus netmask and gateway.

• The username and passphrase required to execute the power-cycle command.

These credentials are independent of other credentials used to access your appliance.

Step 5 Enter commit to save your changes.

Step 6 Test your configuration to be sure that you can remotely manage appliance power.

Step 7 Ensure that the credentials that you entered will be available to you in the indefinite future. For example, store this information in a safe place and ensure that administrators who may need to perform this task have access to the required credentials.

Related Topics

• Hardware Appliances: Remotely Resetting Appliance Power, page A-20

Administering User AccountsThe following types of users can log into the Web Security appliance to manage the appliance:

• Local users. You can define users locally on the appliance itself.

• Users defined in an external system. You can configure the appliance to connect to an external RADIUS server to authenticate users logging into the appliance.

Note Any user you define can log into the appliance using any method, such as logging into the web interface or using SSH.

Related Topics

• Managing Local User Accounts, page 22-6.

• RADIUS User Authentication, page 22-8.

Managing Local User AccountsYou can define any number of users locally on the Web Security appliance.

The default system admin account has all administrative privileges. You can change the admin account passphrase, but you cannot edit or delete this account.

Note If you have lost the admin user passphrase, contact your Cisco support provider.



Adding Local User Accounts

Before You Begin

Define the passphrase requirements that all user accounts must follow. See Setting Passphrase Requirements for Administrative Users, page 22-11.

Step 1 Choose System Administration > Users.

Step 2 Click Add User

Step 3 Enter a username, noting the following rules:

• Usernames can contain lowercase letters, numbers, and the dash ( - ) character, but cannot begin with a dash.

• Usernames cannot greater than 16 characters.

• Usernames cannot be special names that are reserved by the system, such as “operator” or “root.”

• If you also use external authentication, usernames should not duplicate externally-authenticated usernames.

Step 4 Enter a full name for the user.

Step 5 Select a user type.

Step 6 Enter or generate a passphrase.


User Type Description

Administrator Allows full access to all system configuration settings. However, the upgradecheck and upgradeinstall CLI commands can be issued only from the system defined “admin” account.

Operator Restricts users from creating, editing, or removing user accounts. The operators group also restricts the use of the following CLI commands:

• resetconfig

• upgradecheck

• upgradeinstall

• systemsetup or running the System Setup Wizard

Read-Only Operator

User accounts with this role:

• Can view configuration information.

• Can make and submit changes to see how to configure a feature, but they cannot commit them.

• Cannot make any other changes to the appliance, such as clearing the cache or saving files.

• Cannot access the file system, FTP, or SCP.

Guest The guests group users can only view system status information, including reporting and tracking.



Deleting User Accounts


Step 2 Click the trash can icon corresponding to the listed user name and confirm when prompted.


Editing User Accounts


Step 2 Click the user name.

Step 3 Make changes to the user on the Edit User page as required.


Changing Passphrases

To change the passphrase of the account currently logged in, select Options > Change Passphrase from the top right-hand side of the window.

For other accounts, edit the account and change the passphrase in the Local User Settings page.

Related Topics

• Editing User Accounts, page 22-8

• Setting Passphrase Requirements for Administrative Users, page 22-11

RADIUS User AuthenticationThe Web Security appliance can use a RADIUS directory service to authenticate users that log in to the appliance using HTTP, HTTPS, SSH, and FTP. You can configure the appliance to contact multiple external servers for authentication, using either PAP or CHAP authentication. You can map groups of external users to different Web Security appliance user role types.

Sequence of Events For Radius Authentication

When external authentication is enabled and a user logs into the Web Security appliance, the appliance:

1. Determines if the user is the system-defined “admin” account.

2. If not, checks the first configured external server to determine if the user is defined there.

3. If the appliance cannot connect to the first external server, it checks the next external server in the list.

4. If the appliance cannot connect to any external server, it tries to authenticate the user as a local user defined on the Web Security appliance.



5. If the user does not exist on any external server or on the appliance, or if the user enters the wrong passphrase, access to the appliance is denied.

Enabling External Authentication Using RADIUS

Step 1 On the System Administration > Users page, click Enable External Authentication.

Step 2 Choose RADIUS as the Authentication Type.

Step 3 Enter the host name, port number, and Shared Secret passphrase for the RADIUS server. Default port is 1812.

Step 4 Enter the number of seconds the appliance is to wait for a response from the server before timing out.

Step 5 Choose the authentication protocol used by the RADIUS server.

Step 6 (Optional) Click Add Row to add another RADIUS server. Repeat steps 3–5 for each RADIUS server.

Note You can add up to ten RADIUS servers.

Step 7 In the External Authentication Cache Timeout field, enter the number of seconds AsyncOS stores the external authentication credentials before contacting the RADIUS server again to re-authenticate. Default is zero.

Note If the RADIUS server uses one-time passphrases, for example passphrases created from a token, enter zero (0). When the value is set to zero, AsyncOS does not contact the RADIUS server again to authenticate during the current session.


Chapter 22 Perform System Administration Tasks Defining User Preferences

Step 8 Configure Group Mapping—Select whether to map all externally authenticated users to the Administrator role or to different appliance-user role types.


Related Topics


• Adding Local User Accounts, page 22-7.

Defining User PreferencesPreference settings, such as reporting display formats, are stored for each user and are the same regardless from which client machine the user logs into the appliance.

Step 1 Choose Options > Preferences.

Setting Description

Map externally authenticated users to multiple local roles.

Enter a group name as defined in the RADIUS CLASS attribute, and choose an appliance Role type. You can add more role mappings by clicking Add Row.

AsyncOS assigns RADIUS users to appliance roles based on the RADIUS CLASS attribute. CLASS attribute requirements:

• three-character minimum

• 253-character maximum

• no colons, commas, or newline characters

• one or more mapped CLASS attributes for each RADIUS user (With this setting, AsyncOS denies access to RADIUS users without a mapped CLASS attribute.)

For RADIUS users with multiple CLASS attributes, AsyncOS assigns the most restrictive role. For example, if a RADIUS user has two CLASS attributes, which are mapped to the Operator and Read-Only Operator roles, AsyncOS assigns the RADIUS user to the Read-Only Operator role, which is more restrictive than the Operator role.

These are the appliance roles ordered from most restrictive to least restrictive:

• Administrator

• Operator

• Read-Only Operator

• Guest

Map all externally authenticated users to the Administrator role.

AsyncOS assigns all RADIUS users to the Administrator role.


Chapter 22 Perform System Administration Tasks Configuring Administrator Settings

Step 2 On the User Preferences page, click Edit Preferences.

Step 3 Configure the preference settings as required.


Configuring Administrator Settings

Setting Passphrase Requirements for Administrative Users To set passphrase requirements for locally-defined administrative users of the appliance:

Step 1 Select System Administration > Users.

Step 2 In the Passphrase Settings section, click Edit Settings.

Step 3 Choose options:

Preference Setting Description

Language Display The language AsyncOS for Web uses in the web interface and CLI.

Landing Page The page that displays when the user logs into the appliance.

Reporting Time Range Displayed (default)

The default time range that displays for reports on the Reporting tab.

Number of Reporting Rows Displayed

The number of rows of data shown for each report by default.


Chapter 22 Perform System Administration Tasks Configuring Administrator Settings


Additional Security Settings for Accessing the ApplianceYou can configure the Web Security appliance to have stricter access requirements for administrators logging into the appliance.

Option Description

List of words to disallow in passphrases

Create a .txt file with each forbidden word on a separate line, then select the file to upload it. Subsequent uploads overwrite previous uploads.

Passphrase Strength You can display a passphrase-strength indicator when an administrative user enters a new passphrase.

This setting does not enforce creation of strong passphrases, it merely shows how easy it is to guess the entered passphrase.

Select the roles for which you wish to display the indicator. Then, for each selected role, enter a number greater than zero. A larger number means that a passphrase that registers as strong is more difficult to achieve. This setting has no maximum value, but a very high number makes it effectively impossible to enter a passphrase that evaluates as "good."

Experiment to see what number best meets your requirements.

Passphrase strength is measured on a logarithmic scale. Evaluation is based on the U.S. National Institute of Standards and Technology rules of entropy as defined in NIST SP 800-63, Appendix A.

Generally, stronger passphrases:

• Are longer

• Include upper case, lower case, numeric, and special characters

• Do not include words in any dictionary in any language.

To enforce passphrases with these characteristics, use the other settings on this page.


Chapter 22 Perform System Administration Tasks Resetting the Administrator Passphrase

Resetting the Administrator PassphraseAny administrator-level user can change the passphrase for the “admin” user.

Before You Begin

• If you do not know the passphrase for the admin account, contact your customer support provider to reset the passphrase.

• Understand that changes to the passphrase take effect immediately and do not require you to commit the change.

Step 1 Select Management Appliance > System Administration > Users.

Step 2 Click the admin link in the Users list.

Step 3 Select Change the passphrase.

Step 4 Generate or enter the new passphrase.

Command Description

adminaccessconfig

> banner

Configures the appliance to display any text you specify when an administrator tries to logs in. The custom banner text appears when an administrator tries to access the appliance through all interfaces, such as the web interface or via FTP.

You can load the custom text by either pasting it into the CLI prompt or by copying it from a file located on the Web Security appliance. To upload the text from a file, you must first transfer the file to the configuration directory on the appliance using FTP

adminaccessconfig

> ipaccess

Controls from which IP addresses administrators access the Web Security appliance. Administrators can access the appliance from any machine or from machines with an IP address from a list you specify.

When restrict access to an allow list, you can specify IP addresses, subnets, or CIDR addresses.

By default, when you list the addresses that can access the appliance, the IP address of your current machine is listed as the first address in the allow list. You cannot delete the IP address of your current machine from the allow list.

adminaccessconfig

> strictssl

Configures the appliance so administrators log into the web interface on port 8443 using stronger SSL ciphers (greater than 56 bit encryption).

When you configure the appliance to require stronger SSL ciphers, the change only applies to administrators accessing the appliance using HTTPS to manage the appliance. It does not apply to other network traffic connected to the Web Proxy using HTTPS.


Chapter 22 Perform System Administration Tasks Configuring the Return Address for Generated Messages

Configuring the Return Address for Generated MessagesCandidate for the Reporting chapter

You can configure the return address for mail generated by AsyncOS for reports.

Step 1 Choose System Administration > Return Addresses.


Step 3 Enter the display name, user name, and domain name.


Managing AlertsAlerts are email notifications containing information about events occurring on the Cisco Web Security Appliance appliance. These events can be of varying levels of importance (or severity) from minor (Informational) to major (Critical) and pertain generally to a specific component or feature on the appliance.

Note To receive alerts and email notifications, you must configure the SMTP relay host that the appliance uses to send the email messages.

Alert Classifications and Severities

The information contained in an alert is determined by an alert classification and a severity. You can specify which alert classifications, at which severity, are sent to any alert recipient.

Alert Classifications

AsyncOS sends the following types of alert:

• System

• Hardware

• Updater

• Web Proxy

• Anti-Malware


Alert Severities

Alerts can be sent for the following severities:

• Critical: Requires immediate attention.

• Warning: Problem or error requiring further monitoring and potentially immediate attention.

• Information: Information generated in the routine functioning of this device.


Chapter 22 Perform System Administration Tasks Managing Alerts

Managing Alert Recipients

Note If you enabled AutoSupport during System Setup, the email address you specified will receive alerts for all severities and classes by default. You can change this configuration at any time.

Adding and Editing Alert Recipients


Step 2 Click on a recipient in the Alert Recipients list to edit it, or click Add Recipient to add a new recipient.

Step 3 Add or edit the recipient’s email address. You can enter multiple addresses, separated by commas.

Step 4 Select which alert severities to receive for each alert type.


Deleting Alert Recipients


Step 2 Click the trash can icon corresponding to the alert recipient in the Alert Recipient listing and confirm.


Configuring Alert SettingsAlert settings are global settings, meaning that they affect how all of the alerts behave.





Step 3 Configure the alert settings as required.


Alert ListingThe following sections list alerts by classification. The table in each section includes the alert name (internally used descriptor), actual text of the alert, description, severity (critical, information, or warning) and the parameters (if any) included in the text of the message.

Option Description

From Address to Use When Sending Alerts

The RFC 2822 compliant “Header From:” address to use when sending alerts. An option is provided to automatically generate an address based on the system hostname (“alert@<hostname>”)

Wait Before Sending a Duplicate Alert

Specifies the time interval for duplicate alerts. There are two settings:

Initial Number of Seconds to Wait Before Sending a Duplicate Alert. If you set this value to 0, duplicate alert summaries are not sent and instead, all duplicate alerts are sent without any delay (this can lead to a large amount of email over a short amount of time). The number of seconds to wait between sending duplicate alerts (alert interval) is increased after each alert is sent. The increase is the number of seconds to wait plus twice the last interval. So a 5 second wait would have alerts sent at 5 seconds, 15, seconds, 35 seconds, 75 seconds, 155 seconds, 315 seconds, etc.

Maximum Number of Seconds to Wait Before Sending a Duplicate Alert. You can set a cap on the number of seconds to wait between intervals via the maximum number of seconds to wait before sending a duplicate alert field. For example, if you set the initial value to 5 seconds, and the maximum value to 60 seconds, alerts would be sent at 5 seconds, 15 seconds, 35 seconds, 60 seconds, 120 seconds, etc

Cisco AutoSupport Specifies whether or not to send Cisco the following support information:

• a copy of all alert messages generated by the system

• weekly reports noting the uptime of the system, the output of the status command, and the AsyncOS version used.

Also specifies whether or not to send internal alert recipients a copy of every message sent to Cisco. This applies only to recipients that are set to receive System alerts at Information severity level.



Feature Key Alerts

The following table contains a list of the various feature key alerts that can be generated by AsyncOS, including a description of the alert and the alert severity:

Hardware Alerts

The following table contains a list of the various hardware alerts that can be generated by AsyncOS, including a description of the alert and the alert severity:

Logging Alerts

The following table contains a list of the various logging alerts that can be generated by AsyncOS, including a description of the alert and the alert severity:

Message Alert Severity Parameters

A “$feature” key was downloaded from the key server and placed into the pending area. EULA acceptance required.

Information. $feature: Name of the feature.

Your “$feature” evaluation key has expired. Please contact your authorized sales representative.

Warning. $feature: Name of the feature.

Your “$feature” evaluation key will expire in under $days day(s). Please contact your authorized sales representative.

Warning. $feature: Name of the feature.

$days: The number of days that will pass before the feature key will expire.


A RAID-event has occurred:

$error

Warning $error: Text of the RAID error.


$error. Information. $error: The traceback string of the error.

Log Error: Subscription $name: Log partition is full.

Critical. $name: Log subscription name.

Log Error: Push error for subscription $name: Failed to connect to $ip: $reason.


$ip: IP address of the remote host.

$reason: Text describing the connect error

Log Error: Push error for subscription $name: An FTP command failed to $ip: $reason.



$reason: Text describing what went wrong.

Log Error: Push error for subscription $name: SCP failed to transfer to $ip:$port: $reason',



$port: Port number on the remote host.

$reason: Text describing what went wrong.



Reporting Alerts

The following table contains a list of the various reporting alerts that can be generated by AsyncOS, including a description of the alert and the alert severity:

Log Error: 'Subscription $name: Failed to connect to $hostname ($ip): $error.


$hostname: Hostname of the syslog server.

$ip: IP address of the syslog server.

$error: Text of the error message.

Log Error: Subscription $name: Network error while sending log data to syslog server $hostname ($ip): $error




$error: Text of the error message.

Subscription $name: Timed out after $timeout seconds sending data to syslog server $hostname ($ip).


$timeout: Timeout in seconds.



Subscription $name: Syslog server $hostname ($ip) is not accepting data fast enough.




Subscription $name: Oldest log file(s) were removed because log files reached the maximum number of $max_num_files. Files removed include:

$files_removed.

Information. $name: Log subscription name.

$max_num_files: Maximum number of files allowed per log subscription.

$files_removed: List of files that were removed.



The reporting system is unable to maintain the rate of data being generated. Any new data generated will be lost.

Critical. Not applicable.

The reporting system is now able to handle new data.

Information. Not applicable.

A failure occurred while building periodic report ‘$report_title’.

This subscription should be examined and deleted if its configuration details are no longer valid.

Critical. $report_title: Title of the report.

A failure occurred while emailing periodic report ‘$report_title’.

This subscription has been removed from the scheduler.




Processing of collected reporting data has been disabled due to lack of logging disk space. Disk usage is above $threshold percent. Recording of reporting events will soon become limited and reporting data may be lost if disk space is not freed up (by removing old logs, etc).

Once disk usage drops below $threshold percent, full processing of reporting data will be restarted automatically.

Warning. $threshold: Threshold value.

PERIODIC REPORTS: While building periodic report $report_title' the expected domain specification file could not be found at ‘$file_name’. No reports were sent.


$file_name: Name of the file.

Counter group “$counter_group” does not exist. Critical. $counter_group: Name of the counter_group.

PERIODIC REPORTS: While building periodic report $report_title’ the domain specification file ‘$file_name’ was empty. No reports were sent.



PERIODIC REPORTS: Errors were encountered while processing the domain specification file ‘$file_name’ for the periodic report ‘$report_title’. Any line which has any reported problem had no report sent.

$error_text



$error_text: List of errors encountered.

Processing of collected reporting data has been disabled due to lack of logging disk space. Disk usage is above $threshold percent. Recording of reporting events will soon become limited and reporting data may be lost if disk space is not freed up (by removing old logs, etc).

Once disk usage drops below $threshold percent, full processing of reporting data will be restarted automatically.

Warning. $threshold: Threshold value.

The reporting system has encountered a critical error while opening the database. In order to prevent disruption of other services, reporting has been disabled on this machine. Please contact customer support to have reporting enabled.

The error message is:

$err_msg

Critical. $err_msg: Error message text.




System Alerts

The following table contains a list of the various system alerts that can be generated by AsyncOS, including a description of the alert and the alert severity:


Startup script $name exited with error: $message Critical. $name: Name of the script.

$message: Error message text.

System halt failed: $exit_status: $output', Critical. $exit_status: Exit code of the command.

$output: Output from the command.

System reboot failed: $exit_status: $output Critical. $exit_status: Exit code of the command.

$output: Output from the command.

Process $name listed $dependency as a dependency, but it does not exist.

Critical. $name: Name of the process.

$dependency: Name of the dependency that was listed.

Process $name listed $dependency as a dependency, but $dependency is not a wait_init process.



Process $name listed itself as a dependency. Critical. $name: Name of the process.

Process $name listed $dependency as a dependency multiple times.



Dependency cycle detected: $cycle. Critical. $cycle: The list of process names involved in the cycle.

An error occurred while attempting to share statistical data through the Network Participation feature. Please forward this tracking information to your support provider:

Error: $error.

Warning. $error: The error message associated with the exception.

There is an error with “$name”. Critical. $name: Name of the process that generated a core file.

An application fault occurred: “$error” Critical. $error: Text of the error, typically a traceback.

Tech support: Service tunnel has been enabled, port $port

Information. $port: Port number used for the service tunnel.


Chapter 22 Perform System Administration Tasks FIPS Compliance

Updater Alerts

The following table contains a list of the various updater alerts that can be generated by AsyncOS, including a description of the alert and the alert severity:

Anti-Malware Alerts

For information about alerts related to Advanced Malware Protection, see Ensuring That You Receive Alerts About Advanced Malware Protection Issues, page 14-10.

FIPS ComplianceFederal Information Processing Standards (FIPS) specify requirements for cryptographic modules that are used by all government agencies to protect sensitive but unclassified information. FIPS help ensure compliance with federal security and data privacy requirements. FIPS, developed by the National Institute for Standards and Technology (NIST), are to use when no voluntary standards exist to meet federal requirements.

The WSA achieves FIPS 140-2 Level 1 compliance in FIPS mode using Cisco Common Cryptographic Module (C3M). By default, FIPS mode is disabled.

Tech support: Service tunnel has been disabled. Information. Not applicable.

• The host at $ip has been added to the blacklist because of an SSH DOS attack.

• The host at $ip has been permanently added to the ssh whitelist.

• The host at $ip has been removed from the blacklist

Warning. $ip - IP address from which a login attempt occurred.

Description:

IP addresses that try to connect to the appliance over SSH but do not provide valid credentials are added to the SSH blacklist if more than 10 failed attempts occur within two minutes.

When a user logs in successfully from the same IP address, that IP address is added to the whitelist.

Addresses on the whitelist are allowed access even if they are also on the blacklist.

Entries are automatically removed from the blacklist after about a day.



The $app application tried and failed $attempts times to successfully complete an update. This may be due to a network configuration issue or temporary outage.

Warning. $app: Web Security appliance security service name.

$attempts: Number of attempts tried.

The updater has been unable to communicate with the update server for at least $threshold.

Warning. $threshold: Threshold value time.

Unknown error occurred: $traceback. Critical. $traceback: Traceback information.


Chapter 22 Perform System Administration Tasks System Date and Time Management

FIPS Certificate RequirementsFIPS mode requires that all enabled encryption services on the Web Security appliance use a FIPS-compliant certificate. This applies to the following encryption services:

• HTTPS Proxy

• Authentication

• Identity Provider for SaaS

• Appliance Management HTTPS Service

Note The Appliance Management HTTPS Service must be enabled before FIPS mode can be enabled. The other encryption services need not be enabled.

A FIPS-compliant certificate must meet these requirements:

Enabling or Disabling FIPS Mode

Before You Begin

• Ensure the certificates to be used in FIPS mode use FIPS 140-2 approved public key algorithms (see FIPS Certificate Requirements, page 22-22).

Note Changing the FIPS mode initiates a reboot of the appliance.

Step 1 Choose System Administration > FIPS Mode.


Step 3 Check or uncheck the Enable FIPS Level 1 Compliance check box.


Step 5 Click Continue to allow the appliance to reboot.

System Date and Time Management• Setting the Time Zone, page 22-23

Certificate Algorithm Bit Key Size Signature Algorithm Notes

X509 RSA 1024, 2048, 3072, or 4096

sha1WithRSAEncryption Cisco recommends a bit key size of 1024 for best decryption performance and sufficient security. A larger bit size will increase security, but impact decryption performance.

DSA 1024 dsaWithSHA1


Chapter 22 Perform System Administration Tasks SSL Configuration

• Synchronizing the System Clock with an NTP Server, page 22-23

Setting the Time Zone

Step 1 Choose System Administration > Time Zone.


Step 3 Select your region, country, and time zone or select the GMT offset.

Step 4 Submit and commit the changes.

Synchronizing the System Clock with an NTP Server Cisco recommends that you set your Web Security appliance to track the current date and time by querying a Network Time Protocol (NTP) server, not by manually setting the time on the appliance. This is especially true if your appliance integrates with other devices. All integrated devices should use the same NTP server.

Step 1 Choose System Administration > Time Settings.


Step 3 Select Use Network Time Protocol as the Time Keeping Method.

Step 4 Enter the fully qualified hostname or IP address of the NTP server, clicking Add Row as needed to add servers.

Step 5 (Optional) Choose the routing table associated with an appliance network interface type, either Management or Data, to use for NTP queries. This is the IP address from which NTP queries should originate.

Note This option is only editable if the appliance is using split routing for data and management traffic.


SSL Configuration For enhanced security, you can enable and disable SSL v3 and various versions of TLS for several services. Disabling SSL v3 for all services is recommended for best security. By default, all versions of TLS are enabled, and SSL is disabled.

Note You also can use the sslconfig CLI command to enable or disable these features. See Web Security Appliance CLI Commands, page B-6.


Chapter 22 Perform System Administration Tasks SSL Configuration

Step 1 Choose System Administration > SSL Configuration.


Step 3 Check the corresponding boxes to enable SSL v3 and TLS v1.x for these services:

• Appliance Management Web User Interface – Changing this setting will disconnect all active user connections.

• Proxy Services – Includes HTTPS Proxy and Credential Encryption for Secure Client. This section also includes:

– Cipher(s) to Use – You can enter additional cipher suites to be used with Proxy Services communications. Use colons (:) to separate the suites. To prevent use of a particular cipher, add an exclamation point (!) to the front of that string. For example, !EXP-DHE-RSA-DES-CBC-SHA.

Be sure to enter only suites appropriate to the TLS/SSL versions you have checked. Refer to https://www.openssl.org/docs/manmaster/apps/ciphers.html for additional information, and cipher lists.

The default cipher for AsyncOS versions 9.0 and earlier is DEFAULT:+kEDH. For AsyncOS versions 9.1 and later, it the default cipher is EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!SEED:!CAMELLIA:!SRP:!I

DEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-S

HA:DHE-RSA-AES128-SHA. In both cases, this may change based on your ECDHE cipher selections.

Note However, regardless of version, the default cipher does not change when you upgrade to a newer AsyncOS version. For example, when you upgrade from an earlier version to AsyncOS 9.1, the default cipher is DEFAULT:+kEDH. In other words, following an upgrade, you must update the current cipher suite yourself; Cisco recommends updating to EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!SEED:!CAMELLIA:!

SRP:!IDEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA:!DHE-DSS-AES256-S

HA:!AES256-SHA:DHE-RSA-AES128-SHA.

– Disable TLS Compression (Recommended) – You can check this box to disable TLS compression; this is recommended for best security.

• Secure LDAP Services – Includes Authentication, External Authentication and Secure Mobility.

• Secure ICAP Services (External DLP) – Select the protocol(s) used to secure ICAP communications between the appliance and external DLP (data loss prevention) servers. See Configuring External DLP Servers, page 16-9 for more information.

• Update Service – Select the protocol(s) used for communications between the appliance and available update servers. See AsyncOS for Web Upgrades and Updates, page 22-28 for more information about update services.

Note Cisco’s Update servers do not support SSL v3, therefore TLS 1.0 or above must be enabled for the Cisco Update service. However, SSL v3 can still be used with a local update server, if it is so configured—you must determine which versions of SSL/TLS are supported on that server.


https://www.openssl.org/docs/manmaster/apps/ciphers.html


Chapter 22 Perform System Administration Tasks Certificate Management

Certificate ManagementThe appliance uses digital certificates to establish, confirm and secure a variety of connections. The Certificate Management page lets you view and update current certificate lists, manage trusted root certificates, and view blocked certificates.

Related Topics

• About Certificates and Keys, page 22-25

• Certificate Updates, page 22-26

• Managing Trusted Root Certificates, page 22-25

• Viewing Blocked Certificates, page 22-26

About Certificates and KeysWhen a browser prompts its user to authenticate, the browser sends the authentication credentials to the Web Proxy using a secure HTTPS connection. By default, the Web Security appliance uses the “Cisco Web Security Appliance Demo Certificate” that comes with it to create an HTTPS connection with the client. Most browsers will warn users that the certificate is not valid. To prevent users from seeing the invalid certificate message, you can upload a certificate and key pair that your applications recognize automatically.

Related Topics

• Uploading or Generating a Certificate and Key, page 22-26

• Certificate Signing Requests, page 22-27

• Intermediate Certificates, page 22-28

Managing Trusted Root CertificatesThe Web Security appliance ships with and maintains a list of trusted root certificates. Web sites with trusted certificates do not require decryption.

You can manage the trusted certificate list, adding certificates to it and functionally removing certificates from it. While the Web Security appliance does not delete certificates from the master list, it allows you to override trust in a certificate, which functionally removes the certificate from the trusted list.

To add, override or download a trusted root certificate:

Step 1 Choose Network > Certificate Management.

Step 2 Click Manage Trusted Root Certificates on the Certificate Management page.

Step 3 To add a custom trusted root certificate with a signing authority not on the Cisco-recognized list:

Click Import and then browse to, select, and Submit the certificate file.

Step 4 To override the trust for one or more Cisco-recognized certificates:

a. Check the Override Trust checkbox for each entry you wish to override.

b. Click Submit.



Step 5 To download a copy of a particular certificate:

a. Click the name of the certificate in the Cisco Trusted Root Certificate List to expand that entry.

b. Click Download Certificate.

Certificate UpdatesThe Updates section lists version and last-updated information for the Cisco trusted-root-certificate and blacklist bundles on the appliance. These bundles are updated periodically.

Step 1 Click Update Now on the Certificate Management page to update all bundles for which updates are available.

Viewing Blocked CertificatesTo view a list of certificates which Cisco has determined to be invalid, and has blocked:

Step 1 Click View Blocked Certificates.

Uploading or Generating a Certificate and KeyCertain AsyncOS features require a certificate and key to establish, confirm or secure a connectionIdentity Services Engine (ISE) and . You can either upload an existing certificate and key, or you can generate one when you configure the feature.

Uploading a Certificate and Key

A certificate you upload to the appliance must meet the following requirements:

• It must use the X.509 standard.

• It must include a matching private key in PEM format. DER format is not supported.

Step 1 Select Use Uploaded Certificate and Key.

Step 2 In the Certificate field, click Browse; locate the file to upload.

Note The Web Proxy uses the first certificate or key in the file. The certificate file must be in PEM format. DER format is not supported.

Step 3 In the Key field, click Browse; locate the file to upload.



Note The key length must be 512, 1024, or 2048 bits. The private key file must be in PEM format. DER format is not supported.

Step 4 If the key is encrypted, select Key is Encrypted.

Step 5 Click Upload Files.

Generating a Certificate and Key

Step 1 Select Use Generated Certificate and Key.

Step 2 Click Generate New Certificate and Key.

a. In the Generate Certificate and Key dialog box, enter the necessary generation information.

Note You can enter any ASCII character except the forward slash ( / ) in the Common Name field.

b. Click Generate in the Generate Certificate and Key dialog box.

When generation is complete, the certificate information is displayed in the Certificate section, along with two links: Download Certificate and Download Certificate Signing Request. In addition, there is a Signed Certificate option that is used to upload the signed certificate when you receive it from the Certificate Authority (CA).

Step 3 Click Download Certificate to download the new certificate for upload to the appliance.

Step 4 Click Download Certificate Signing Request to download the new certificate file for transmission to a Certificate Authority (CA) for signing. See Certificate Signing Requests, page 22-27 for more information about this process.

a. When the CA returns the signed certificate, click Browse in the Signed Certificate portion of the Certificate field to locate the signed-certificate file, and then click Upload File to upload it to the appliance.

b. Ensure the CA’s root certificate is present in the appliance’s list of trusted root certificates. If it is not, add it. See Managing Trusted Root Certificates, page 22-25 for more information.

Certificate Signing Requests

The Web Security appliance cannot generate Certificate Signing Requests (CSR) for certificates uploaded to the appliance. Therefore, to have a certificate created for the appliance, you must issue the signing request from another system. Save the PEM-formatted key from this system because you will need to install it on the appliance later.

You can use any UNIX machine with a recent version of OpenSSL installed. Be sure to put the appliance hostname in the CSR. Use the guidelines at the following location for information on generating a CSR using OpenSSL:

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28


Chapter 22 Perform System Administration Tasks AsyncOS for Web Upgrades and Updates

Once the CSR has been generated, submit it to a certificate authority (CA). The CA will return the certificate in PEM format.

If you are acquiring a certificate for the first time, search the Internet for “certificate authority services SSL server certificates,” and choose the service that best meets the needs of your organization. Follow the service’s instructions for obtaining an SSL certificate.

Note You can also generate and sign your own certificate. Tools for doing this are included with OpenSSL, free software from http://www.openssl.org.

Intermediate Certificates

In addition to root certificate authority (CA) certificate verification, AsyncOS supports the use of intermediate certificate verification. Intermediate certificates are certificates issued by a trusted root CA which are then used to create additional certificates. This creates a chained line of trust. For example, a certificate may be issued by example.com who, in turn, is granted the rights to issue certificates by a trusted root CA. The certificate issued by example.com must be validated against example.com’s private key as well as the trusted root CA’s private key.

AsyncOS for Web Upgrades and UpdatesCisco periodically releases upgrades (new software versions) and updates (changes to current software versions) for AsyncOS for Web and its components.

Best Practices For Upgrading AsyncOS for Web• Before you start the upgrade, save the XML configuration file off the Web Security appliance from

the System Administration > Configuration File page or by using the saveconfig command.

• Save other files stored on the appliance, such as PAC files or customized end-user notification pages.

• When upgrading, do not pause for long amounts of time at the various prompts. If the TCP session times out during the download, the upgrade may fail.

• After the upgrade completes, save the configuration information to an XML file.

Related Topics

• Saving, Loading, and Resetting the Appliance Configuration, page 22-2.

Upgrading and Updating AsyncOS and Security Service Components

Upgrading AsyncOS for Web

Before You Begin

• Save the appliance configuration file (see Saving, Loading, and Resetting the Appliance Configuration, page 22-2).



Step 1 Choose System Administration > System Upgrade.

Step 2 Click Available Upgrades.

Step 3 Select an upgrade from the list of available upgrades, and click Begin Upgrade to start the upgrade process. Answer the questions as they appear.

The CLI and the Web application interface may be sluggish or unavailable during the update process.

Step 4 When the upgrade is complete, click Reboot Now to reboot the Web Security appliance.

Related Topics

• Local And Remote Update Servers, page 22-30.

Automatic and Manual Update and Upgrade QueriesAsyncOS periodically queries the update servers for new updates to all security service components, but not for new AsyncOS upgrades. To upgrade AsyncOS, you must manually prompt AsyncOS to query for available upgrades. You can also manually prompt AsyncOS to query for available security service updates. For more information, see Reverting to a Previous Version of AsyncOS for Web, page 22-33.

When AsyncOS queries an update server for an update or upgrade, it performs the following steps:

1. Contacts the update server.

Cisco allows the following sources for update servers:

– Cisco update servers. For more information, see Updating and Upgrading from the Cisco Update Servers, page 22-30.

– Local server. For more information, see Upgrading from a Local Server, page 22-31.

2. Receives an XML file that lists the available updates or AsyncOS upgrade versions. This XML file is known as the “manifest.”

3. Downloads the update or upgrade image files.

Manually Updating Security Service Components

By default, each security service component periodically receives updates to its database tables from the Cisco update servers. However, you can manually update the database tables.

Note Some updates are available on demand from the GUI pages related to the feature.

Tip View a record of update activity in the updater log file. Subscribe to the updater log file on the System Administration > Log Subscriptions page.

Note Updates that are in-progress cannot be interrupted. All in-progress updates must complete before new changes can be applied.



Step 1 Choose System Administration > Upgrade and Update Settings.

Step 2 Click Edit Update Settings.

Step 3 Specify the location of the update files.

Step 4 Initiate the update using the Update Now function key on the component page located on the Security Services tab. For example, Security Services > Web Reputation Filters page.

The CLI and the Web application interface may be sluggish or unavailable during the update process.

Local And Remote Update ServersBy default, AsyncOS contacts the Cisco update servers for both update and upgrade images and the manifest XML file. However, you can choose from where to download the upgrade and update images and the manifest file. Using a local update server for the images or manifest file for any of the following reasons:

• You have multiple appliances to upgrade simultaneously. You can download the upgrade image to a web server inside your network and serve it to all appliances in your network.

• Your firewall settings require static IP addresses for the Cisco update servers. The Cisco update servers use dynamic IP addresses. If you have strict firewall policies, you may need to configure a static location for updates and AsyncOS upgrades. For more information, see Configuring a Static Address for the Cisco Update Servers, page 22-30.

Note Local update servers do not automatically receive security service updates, only AsyncOS upgrades. After using a local update server for upgrading AsyncOS, change the update and upgrade settings back to use the Cisco update servers so the security services update automatically again.

Updating and Upgrading from the Cisco Update Servers

A Web Security appliance can connect directly to Cisco update servers and download upgrade images and security service updates. Each appliance downloads the updates and upgrade images separately.

Configuring a Static Address for the Cisco Update Servers

The Cisco update servers use dynamic IP addresses. If you have strict firewall policies, you may need to configure a static location for updates and AsyncOS upgrades.

Step 1 Contact Cisco Customer Support to obtain the static URL address.

Step 2 Navigate to the System Administration > Upgrade and Update Settings page, and click Edit Update Settings.

Step 3 On the Edit Update Settings page, in the “Update Servers (images)” section, choose Local Update Servers and enter the static URL address received in step 1.

Step 4 Verify that Cisco Update Servers is selected for the “Update Servers (list)” section.




Upgrading from a Local Server

The Web Security appliance can download AsyncOS upgrades from a server within your network instead of obtaining upgrades directly from the Cisco update servers. When you use this feature, you download the upgrade image from Cisco once only, and then serve it to all Web Security appliances in your network.

Figure 22-1 shows how Web Security appliances download upgrade images from local servers.

Figure 22-1 Upgrading from a Local Server

Hardware and Software Requirements for Local Upgrade Servers

For downloading AsyncOS upgrade files, you must have a system in your internal network that has a web browser and Internet access to the Cisco update servers.

Note If you need to configure a firewall setting to allow HTTP access to this address, you must configure it using the DNS name and not a specific IP address.

For hosting AsyncOS upgrade files, a server on the internal network must have a web server, such as Microsoft IIS (Internet Information Services) or the Apache open source server, which has the following features:

• Supports the display of directory or filenames in excess of 24 characters.

• Has directory browsing enabled.

• Is configured for anonymous (no authentication) or Basic (“simple”) authentication.

• Contains at least 350MB of free disk space for each AsyncOS upgrade image.



Configuring Upgrades from a Local Server

Note Cisco recommends changing the update and upgrade settings to use the Cisco update servers (using dynamic or static addresses) after the upgrade is complete to ensure the security service components continue to update automatically.

Step 1 Configure a local server to retrieve and serve the upgrade files.

Step 2 Download the upgrade zip file.

Using a browser on the local server, go tohttp://updates.ironport.com/fetch_manifest.html to download a zip file of an upgrade image. To download the image, enter your serial number (for a physical appliance) or VLN (for a virtual appliance) and the version number of the appliance. You will then be presented with a list of available upgrades. Click on the upgrade version that you want to download.

Step 3 Unzip the zip file in the root directory on the local server while keeping the directory structure intact.

Step 4 Configure the appliance to use the local server using the System Administration > Upgrade and Update Settings page or the updateconfig command.

Step 5 On the System Administration > System Upgrade page, click Available Upgrades or run the upgrade command.

Differences Between Local and Remote Upgrading Methods

The following differences apply when upgrading AsyncOS from a local server rather than from a Cisco update server:

• The upgrading installs immediately while downloading.

• A banner displays for 10 seconds at the beginning of the upgrade process. While this banner is displayed, you have the option to type Control+C to exit the upgrade process before downloading starts.

Configuring Upgrade and Service Update SettingsYou can configure how the Web Security appliance downloads security services updates and AsyncOS for Web upgrades. For example, you can choose which network interface to use when downloading the files, configure the update interval or disable automatic updates.

Step 1 Choose System Administration > Upgrade and Update Settings.

Step 2 Click Edit Update Settings.


Chapter 22 Perform System Administration Tasks Reverting to a Previous Version of AsyncOS for Web

Step 3 Configure the settings, referencing the following information:


Related Topics

• Local And Remote Update Servers, page 22-30.

• Automatic and Manual Update and Upgrade Queries, page 22-29.

• Upgrading and Updating AsyncOS and Security Service Components, page 22-28.

Reverting to a Previous Version of AsyncOS for WebAsyncOS for Web supports the ability to revert the AsyncOS for Web operating system to a previous qualified build for emergency uses.

Setting Description

Automatic Updates Choose whether or not to enable automatic updates of the security components. If you choose automatic updates, enter the time interval. The default is enabled and the update interval is 5 minutes.

Upgrade Notifications Choose whether to display a notification at the top of the Web Interface when a new upgrade to AsyncOS is available. The appliance only displays this notification for administrators.

For more information, see Upgrading AsyncOS for Web, page 22-28.

Update Servers (list) Whether to download the list of available upgrades and updates (the manifest XML file) from the Cisco update servers or a local web server.

When you choose a local update server, enter the full path to the manifest XML file for the list including the file name and port number for the server. If you leave the port field blank, AsyncOS uses port 80. If the server requires authentication, you can also enter a valid user name and passphrase.

• The URL for obtaining the manifest for hardware appliances is:

https://update-manifests.ironport.com

• The URL for obtaining the manifest for virtual appliances is:

https://update-manifests.sco.cisco.com

Update Servers (images) Whether to download upgrade and update images from the Cisco update servers or a local web server.

When you choose a local update server, enter the base URL and port number for the server. If you leave the port field blank, AsyncOS uses port 80. If the server requires authentication, you can also enter a valid user name and passphrase.

Routing Table Choose which network interface’s routing table to use when contacting the update servers.

Proxy Server (optional) If an upstream proxy server exists and requires authentication, enter the server information and user name and passphrase here.


Chapter 22 Perform System Administration Tasks Reverting to a Previous Version of AsyncOS for Web

Note You cannot revert to a version of AsyncOS for Web earlier than version 7.5.

Reverting AsyncOS on Virtual Appliances Impacts the License[per elic FS] If you revert to AsyncOS 8.0, there is no 180-day grace period during which the appliance processes web transactions without security features. License expiration dates are unaffected.

Configuration File Use in the Revert ProcessEffective in version 7.5, when you upgrade to a later version, the upgrade process automatically saves the current system configuration to a file on the Web Security appliance. (However, Cisco recommends manually saving the configuration file to a local machine as a backup.) This allows AsyncOS for Web to load the configuration file associated with the earlier release after reverting to the earlier version. However, when it performs a reversion, it uses the current network settings for the management interface.

Reverting AsyncOS for an Appliance Managed by the SMAYou can revert AsyncOS for Web from the Web Security appliance. However, if the Web Security appliance is managed by a Security Management appliance, consider the following rules and guidelines:

• When Centralized Reporting is enabled on the Web Security appliance, AsyncOS for Web finishes transferring the reporting data to the Security Management appliance before it starts the reversion. If the files take longer than 40 seconds to transfer to the Security Management appliance, AsyncOS for Web prompts you to continue waiting to transfer the files, or continue the reversion without transferring all files.

• You must associate the Web Security appliance with the appropriate Configuration Master after reverting. Otherwise, pushing a configuration from the Security Management appliance to the Web Security appliance might fail.

Related Topics

• Link to Security Management / Configuration Master topics (have not seen these anywhere)

Reverting AsyncOS for Web to a Previous Version

Caution Reverting the operating system on a Web Security appliance is a very destructive action and destroys all configuration logs and databases. Reversion also disrupts web traffic handling until the appliance is reconfigured. Depending on the initial Web Security appliance configuration, this action may destroy network configuration. If this happens, you will need physical local access to the appliance after performing the reversion.

Note If updates to the set of URL categories are available, they will be applied after AsyncOS reversion.


Chapter 22 Perform System Administration Tasks Monitoring System Health and Status Using SNMP

Before You Begin

• Contact Cisco Quality Assurance to confirm that you can perform the intended reversion. (BS: this is a summary of the Available Versions section in the original chapter. Have asked if this is correct.)

• Back up the following information from the Web Security appliance to a separate machine:

– System configuration file (with passphrases unmasked).

– Log files you want to preserve.

– Reports you want to preserve.

– Customized end-user notification pages stored on the appliance.

– PAC files stored on the appliance.

Step 1 Log into the CLI of the appliance you want to revert.

Note When you run the revert command in the next step, several warning prompts are issued. After these warning prompts are accepted, the revert action takes place immediately. Therefore, do not begin the reversion process until after you have completed the pre-reversion steps.

Step 2 Enter the revert command.

Step 3 Confirm twice that you want to continue with the reversion.

Step 4 Choose one of the available versions to revert to.

The appliance reboots twice.

Note The reversion process is time-consuming. It may take fifteen to twenty minutes before reversion is complete and console access to the appliance is available again.

The appliance should now run using the selected AsyncOS for Web version. You can access the web interface from a web browser.

Monitoring System Health and Status Using SNMPThe AsyncOS operating system supports system status monitoring via SNMP (Simple Network Management Protocol). (For more information about SNMP, see RFCs 1065, 1066, and 1067.)

Please note:

• SNMP is off by default.

• SNMP SET operations (configuration) are not implemented.

• AsyncOS supports SNMPv1, v2, and v3. For more information on SNMPv3, see RFCs 2571-2575.

• Message authentication and encryption are mandatory when enabling SNMPv3. Passphrases for authentication and encryption should be different. The encryption algorithm can be AES (recommended) or DES. The authentication algorithm can be SHA-1 (recommended) or MD5. The snmpconfig command “remembers” your passphrases the next time you run the command.



• The SNMPv3 username is: v3get.

• If you use only SNMPv1 or SNMPv2, you must set a community string. The community string does not default to public.

• For SNMPv1 and SNMPv2, you must specify a network from which SNMP GET requests are accepted.

• To use traps, an SNMP manager (not included in AsyncOS) must be running and its IP address entered as the trap target. (You can use a host name, but if you do, traps will only work if DNS is working.)

MIB FilesMIB files are available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/tsd-products-support-series-home.html. Use the latest version of each MIB file.

There are multiple MIB files:

• asyncoswebsecurityappliance-mib.txt — an SNMPv2 compatible description of the Enterprise MIB for Web Security appliances.

• ASYNCOS-MAIL-MIB.txt — an SNMPv2 compatible description of the Enterprise MIB for Email Security appliances.

• IRONPORT-SMI.txt — This “Structure of Management Information” file defines the role of the asyncoswebsecurityappliance-mib.

This release implements a read-only subset of MIB-II as defined in RFCs 1213 and 1907.

Enabling and Configuring SNMP Monitoring To configure SNMP to gather system status information for the appliance, use the snmpconfig command in the command-line interface (CLI). After you choose and configure values for an interface, the appliance responds to SNMPv3 GET requests.

When you use SNMP monitoring, keep the following points in mind:

• These version 3 requests must include a matching passphrase.

• By default, version 1 and 2 requests are rejected.

• If enabled, version 1 and 2 requests must have a matching community string.

Hardware Objects Hardware sensors conforming to the Intelligent Platform Management Interface Specification (IPMI) report information such as temperature, fan speed, and power supply status.

To determine the hardware-related objects available for monitoring (for example, the number of fans or the operating temperature range), see the hardware guide for your appliance model.

> snmpwalk -v 3 -l AuthNoPriv -u v3get -a MD5 serv.example.com

http://www.cisco.com/c/en/us/support/security/web-security-appliance/tsd-products-support-series-home.html




Related Topics

• Documentation Set, page C-2

SNMP TrapsSNMP provides the ability to send traps, or notifications, to advise an administration application when one or more conditions have been met. Traps are network packets that contain data relating to a component of the system sending the trap. Traps are generated when a condition has been met on the SNMP agent (in this case, the Cisco Web Security Appliance appliance). After the condition has been met, the SNMP agent then forms an SNMP packet and sends it to the host running the SNMP management console software.

You can configure SNMP traps (enable or disable specific traps) when you enable SNMP for an interface.

To specify multiple trap targets: when prompted for the trap target, you may enter up to 10 comma separated IP addresses.

Related Topics

• About the connectivityFailure SNMP Trap, page 22-37

About the connectivityFailure SNMP Trap

The connectivityFailure trap is intended to monitor your appliance’s connection to the internet. It does this by attempting to connect and send an HTTP GET request to a single external server every 5 to 7 seconds. By default, the monitored URL is downloads.ironport.com on port 80.

To change the monitored URL or port, run the snmpconfig command and enable the connecivityFailure trap, even if it is already enabled. You will see a prompt to change the URL.

Tip To simulate connectivityFailure traps, you can use the dnsconfig CLI command to enter a non-working DNS server. Lookups for downloads.ironport.com will fail, and traps will be sent every 5-7 seconds. Be sure to change the DNS server back to a working server after completing your test.

CLI Example: snmpconfig wsa.example.com> snmpconfig

Current SNMP settings:SNMP Disabled.

Choose the operation you want to perform:- SETUP - Configure SNMP.[]> SETUP

Do you want to enable SNMP? [Y]>

Please choose an IP interface for SNMP requests.1. Management (198.51.100.1: wsa.example.com)[1]>

Which port shall the SNMP daemon listen on interface "Management"?[161]>



Please select SNMPv3 authentication type:1. MD52. SHA[1]> 2

Please select SNMPv3 privacy protocol:1. DES2. AES[1]> 2

Enter the SNMPv3 authentication passphrase.[]> Please enter the SNMPv3 authentication passphrase again to confirm.[]> Enter the SNMPv3 privacy passphrase.[]> Please enter the SNMPv3 privacy passphrase again to confirm.[]>

Service SNMP V1/V2c requests? [N]> Y

Enter the SNMP V1/V2c community string.[ironport]> public

Shall SNMP V2c requests be serviced from IPv4 addresses? [Y]>

From which IPv4 networks shall SNMP V1/V2c requests be allowed? Separatemultiple networks with commas.[127.0.0.1/32]>

Enter the Trap target as a host name, IP address or list of IPaddresses separated by commas (IP address preferred). Enter "None" to disable traps.[127.0.0.1]> 203.0.113.1

Enter the Trap Community string.[ironport]> tcomm

Enterprise Trap Status1. CPUUtilizationExceeded Disabled2. FIPSModeDisableFailure Enabled3. FIPSModeEnableFailure Enabled4. FailoverHealthy Enabled5. FailoverUnhealthy Enabled6. RAIDStatusChange Enabled7. connectivityFailure Disabled8. fanFailure Enabled9. highTemperature Enabled10. keyExpiration Enabled11. linkUpDown Enabled12. memoryUtilizationExceeded Disabled13. powerSupplyStatusChange Enabled14. resourceConservationMode Enabled15. updateFailure EnabledDo you want to change any of these settings? [N]> Y

Do you want to disable any of these traps? [Y]> n

Do you want to enable any of these traps? [Y]> y



Enter number or numbers of traps to enable. Separate multiple numbers withcommas.[]> 1,7,12

What threshold would you like to set for CPU utilization?[95]>

What URL would you like to check for connectivity failure?[http://downloads.ironport.com]>

What threshold would you like to set for memory utilization?[95]>

Enter the System Location string.[Unknown: Not Yet Configured]> Network Operations Center - west; rack #30, position 3

Enter the System Contact string.[snmp@localhost]> [email protected]

Current SNMP settings:Listening on interface "Management" 198.51.100.1 port 161.SNMP v3: Enabled.SNMP v1/v2: Enabled, accepting requests from subnet 127.0.0.1/32 .SNMP v1/v2 Community String: publicTrap target: 203.0.113.1Location: Network Operations Center - west; rack #30, position 3 System Contact: [email protected]

Choose the operation you want to perform:- SETUP - Configure SNMP.[]>

wsa.example.com> commit

Please enter some comments describing your changes:[]> Enable and configure SNMP

Changes committed: Fri Nov 06 18:13:16 2015 GMTwsa.example.com>



A-1AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide

A P P E N D I X ATroubleshooting

• General Troubleshooting Best Practices

• Authentication Problems

• Blocked Object Problems

• Browser Problems

• DNS Problems

• Failover Problems

• Feature Keys Expired

• FTP Problems

• Hardware Issues

• HTTPS/Decryption/Certificate Problems

• Identity Services Engine Problems

• Logging Problems

• Policy Problems

• Problems with File Reputation and File Analysis

• Reboot Issues

• Site Access Problems

• Upstream Proxy Problems

• Virtual Appliances

• WCCP Problems

• Packet Capture

• Working With Support

General Troubleshooting Best PracticesConfigure your Access Logs to include the following custom fields:

%u, %g, %m, %k, %L (These values are case-sensitive.)

For descriptions of these fields, see Access Log Format Specifiers and W3C Log File Fields, page 21-30.


Appendix A Troubleshooting

For configuration instructions, see Customizing Access Logs, page 21-26 and Adding and Editing Log Subscriptions, page 21-7.

Authentication Problems• Troubleshooting Tools for Authentication Issues

• Failed Authentication Impacts Normal Operations

• LDAP Problems

• Basic Authentication Problems

• Single Sign-On Problems

• Also see:

– General Troubleshooting Best Practices

– HTTPS and FTP over HTTP Requests Match only Access Policies that Do Not Require Authentication

– Cannot Access URLs that Do Not Support Authentication

– Client Requests Fail Upstream Proxy

Troubleshooting Tools for Authentication Issues KerbTray or klist (both part of the Windows Server Resources Kit) for viewing and purging a Kerberos ticket cache. Active Directory Explorer for viewing and editing an Active directory. Wireshark is a packet analyzer you can use for network troubleshooting.

Failed Authentication Impacts Normal OperationsWhen certain user agents or applications fail to authenticate and are denied access, they repeatedly send requests to the Web Security appliance, which in turn repeatedly sends requests to the Active Directory servers with machine credentials, sometimes to the point of impacting normal operations.

For best results, bypass authentication with these user agents. See Bypassing Authentication with Problematic User Agents, page 5-29.

https://technet.microsoft.com/en-us/sysinternals/bb963907.aspx


Appendix A Troubleshooting Authentication Problems

LDAP Problems• LDAP User Fails Authentication due to NTLMSSP

• LDAP Authentication Fails due to LDAP Referral

LDAP User Fails Authentication due to NTLMSSP

LDAP servers do not support NTLMSSP. Some client applications, such as Internet Explorer, always choose NTLMSSP when given a choice between NTLMSSP and Basic. When all of the following conditions are true, the user will fail authentication:

• The user only exists in the LDAP realm.

• The Identification Profile uses a sequence that contains both LDAP and NTLM realms.

• The Identification Profile uses the “Basic or NTLMSSP” authentication scheme.

• A user sends a request from an application that chooses NTLMSSP over Basic.

Reconfigure the Identification Profile or the authentication realm or the application such that at least one of the above conditions will be false.

LDAP Authentication Fails due to LDAP Referral

LDAP authentication fails when all of the following conditions are true:

• The LDAP authentication realm uses an Active Directory server.

• The Active Directory server uses an LDAP referral to another authentication server.

• The referred authentication server is unavailable to the Web Security appliance.

Workarounds:

• Specify the Global Catalog server (default port is 3268) in the Active Directory forest when you configure the LDAP authentication realm in the appliance,

• Use the advancedproxyconfig > authentication CLI command to disable LDAP referrals. LDAP referrals are disabled by default.

Basic Authentication Problems• Basic Authentication Fails

Related Problems

• Upstream Proxy Does Not Receive Basic Credentials

Basic Authentication Fails

AsyncOS for Web only supports 7-bit ASCII characters for passphrases when using the Basic authentication scheme. Basic authentication fails when the passphrase contains characters that are not 7-bit ASCII.


Appendix A Troubleshooting Browser Problems

Single Sign-On Problems• Users Erroneously Prompted for Credentials

Users Erroneously Prompted for Credentials

NTLM authentication does not work in some cases when the Web Security appliance is connected to a WCCP v2 capable device. When a user makes a request with a highly locked down version of Internet Explorer that does not do transparent NTLM authentication correctly and the appliance is connected to a WCCP v2 capable device, the browser defaults to Basic authentication. This results in users getting prompted for their authentication credentials when they should not get prompted.

Workaround

In Internet Explorer, add the Web Security appliance redirect hostname to the list of trusted sites in the Local Intranet zone (Tools > Internet Options > Security tab).

Browser Problems• WPAD Not Working With Firefox

WPAD Not Working With FirefoxFirefox browsers may not support DHCP lookup with WPAD. For current information, see https://bugzilla.mozilla.org/show_bug.cgi?id=356831.

To use Firefox (or any other browser that does not support DHCP) with WPAD when the PAC file is hosted on the Web Security appliance, configure the appliance to serve the PAC file through port 80.

Step 1 Choose Security Services > Web Proxy and delete port 80 from the HTTP Ports to Proxy field.

Step 2 Use port 80 as the PAC Server Port when you upload the file to the appliance.

Step 3 If any browsers are manually configured to point to the web proxy on port 80, reconfigure those browsers to point to another port in the HTTP Ports to Proxy field.

Step 4 Change any references to port 80 in PAC files.

DNS Problems• Alert: Failed to Bootstrap the DNS Cache


Appendix A Troubleshooting Feature Keys Expired

Alert: Failed to Bootstrap the DNS CacheIf an alert with the message “Failed to bootstrap the DNS cache” is generated when an appliance is rebooted, it means that the system was unable to contact its primary DNS servers. This can happen at boot time if the DNS subsystem comes online before network connectivity is established. If this message appears at other times, it could indicate network issues or that the DNS configuration is not pointing to a valid server.

Feature Keys ExpiredIf the feature key for the feature you are trying to access (via the web interface) has expired, please contact your Cisco representative or support organization.

Failover Problems• Failover Misconfiguration

• Failover Issues on Virtual Appliances

Failover MisconfigurationMisconfiguration of failover groups might result in multiple master appliances or other failover problems. Diagnose failover problems using the testfailovergroup subcommand of the CLI failoverconfig command.

For example:

wsa.wga> failoverconfigCurrently configured failover profiles:1. Failover Group ID: 61 Hostname: failoverV4P1.wga, Virtual IP: 10.4.28.93/28 Priority: 100, Interval: 3 seconds Status: MASTERChoose the operation you want to perform:- NEW - Create new failover group.- EDIT - Modify a failover group.- DELETE - Remove a failover group.- PREEMPTIVE - Configure whether failover is preemptive.- TESTFAILOVERGROUP - Test configured failover profile(s)[]> testfailovergroupFailover group ID to test (-1 for all groups):[]> 61

Failover Issues on Virtual Appliances For deployments on virtual appliances, ensure that you have configured the interface/ virtual switch on the hypervisor to use promiscuous mode.


Appendix A Troubleshooting FTP Problems

FTP Problems• URL Categories Do Not Block Some FTP Sites

• Large FTP Transfers Disconnect

• Zero Byte File Appears On FTP Servers After File Upload

• Chrome Browser Not Detected As User Agent in FTP-over-HTTP Requests, page A-6

• Also see:

– Unable to Route FTP Requests Via an Upstream Proxy


URL Categories Do Not Block Some FTP SitesWhen a native FTP request is transparently redirected to the FTP Proxy, it contains no hostname information for the FTP server, only its IP address. Because of this, some predefined URL categories and Web Reputation Filters that have only hostname information will not match native FTP requests, even if the requests are destined for those servers. If you wish to block access to these sites, you must create custom URL categories for them using their IP addresses.

Large FTP Transfers DisconnectIf the connection between the FTP Proxy and the FTP server is slow, uploading a large file may take a long time, particularly when Cisco Data Security Filters are enabled. This can cause the FTP client to time out before the FTP Proxy uploads the entire file and you may get a failed transaction notice. The transaction does not fail, however, but continues in the background and will be completed by the FTP Proxy.

You can workaround this issue by increasing the appropriate idle timeout value on the FTP client.

Zero Byte File Appears On FTP Servers After File UploadFTP clients create a zero byte file on FTP servers when the FTP Proxy blocks an upload due to outbound anti-malware scanning.

Chrome Browser Not Detected As User Agent in FTP-over-HTTP RequestsChrome browsers do not include a user-agent string in FTP-over-HTTP requests; therefore, Chrome cannot be detected as the user agent in those requests.

Upload/Download Speed IssuesThe WSA is designed to handle thousands of client and server connections in parallel, and the sizes of the send and receive buffers are configured to deliver optimal performance, without sacrificing stability. Generally, actual usage is browse traffic, consisting of numerous short-lived connections for which we have receive-packet-steering (RPS) and receive-flow-steering (RFS) data, and for which the WSA has been optimized.


Appendix A Troubleshooting Hardware Issues

However, at times you may experience a noticeable reduction in upload or download speeds; for example, when transferring large files via proxy. To illustrate: assuming a 10-Mbps line, downloading a 100-MB file that passes through a WSA can be approximately seven to eight times slower than downloading the file directly from its server.

In non-typical environments that include a larger proportion of large-file transfers, you can use the networktuning command to increase send and receive buffer size to alleviate this issue, but doing so can also cause network memory exhaustion and affect system stability. See Web Security Appliance CLI Commands, page B-6 for details of the networktuning command.

Caution Exercise care when changing the TCP receive and send buffer control points and other TCP buffer parameters. Use the networktuning command only if you understand the ramifications.

Here are examples of using the networktuning command on two different appliances:

On an S380networktuning

sendspace = 131072recvspace = 131072send-auto = 1 [Remember to disable miscellaneous > advancedproxy > send buf auto tuning]recv-auto = 1 [Remember to disable miscellaneous > advancedproxy > recv buf auto tuning]mbuf clusters = 98304 * (X/Y) where is X is RAM in GBs on the system and Y is 4GB.sendbuf-max = 1048576recvbuf-max = 1048576

Q. What are these parameters?

A. The WSA has several buffers and optimization algorithms which can be altered for specific needs. Buffer sizes are originally optimized to suit the “most common” deployment scenarios. However, larger buffer sizes can be used when faster per-connection performance is needed, but note that overall memory usage will increase. Therefore, buffer-size increases should be in line with the memory available on the system. The send- and receive-space variables control the size of the buffers available for storing data for communication over a socket. The send- and receive-auto options are used to enable and disable dynamic scaling of send and receive TCP window sizes. (These parameters are applied in the FreeBSD kernel.)

Q. How were these example values determined?

A. We tested different sets of values on a customer’s network where this “problem” was observed, and “zeroed in” on these values. We then further tested these changes for stability and performance increase in our labs. You are free to use values other than these at your own risk.

Q. Why are these values not the defaults?

A. As mentioned, by default the WSA is optimized for the most-common deployments, and operating in a very large number of locations without per-connection performance complaints. Making the changes discussed here will not increase RPS numbers, and in fact may cause them to drop.

Hardware Issues• Cycling Appliance Power, page A-8

• Appliance Health and Status Indicators, page A-8

• Alert: Battery Relearn Timed Out (RAID Event) on 380 or 680 Hardware, page A-8


Appendix A Troubleshooting HTTPS/Decryption/Certificate Problems

Cycling Appliance Power Important! If you need to cycle power to your x80 oappliance, wait at least 20 minutes for the appliance to come up again (all LEDs are green) before pushing the power button.

Appliance Health and Status Indicators Lights on the front and/or rear panels of your hardware appliance indicate health and status of your appliance. For descriptions of these indicators, see the hardware guides available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.

Specifications for your appliance, such as temperature ranges, are also available in these documents.

Alert: Battery Relearn Timed Out (RAID Event) on 380 or 680 HardwareThis alert may or may not indicate a problem. The battery relearn timeout, in itself, does not mean there is any problem with the RAID controller. The controller can recover in the subsequent relearn. Please monitor your email for any other RAID alerts for the next 48 hours, to ensure that this is not the side-effect of any other problem. If you do not see any other RAID-type alerts from the system, then you can safely ignore this alert.

HTTPS/Decryption/Certificate Problems• Accessing HTTPS Sites Using Routing Policies with URL Category Criteria

• HTTPS Request Failures

• Bypassing Decryption for Particular Websites

• Conditions and Restrictions for Exceptions to Blocking for Embedded and Referred Content

• Alert: Problem with Security Certificate

• Also see:

– Logging HTTPS Transactions

– Access Policy not Configurable for HTTPS


Accessing HTTPS Sites Using Routing Policies with URL Category CriteriaFor transparently redirected HTTPS requests, the Web Proxy must contact the destination server to determine the server name and therefore the URL category in which it belongs. Due to this, when the Web Proxy evaluates Routing Policy Group membership, it cannot yet know the URL category of an HTTPS request because it has not yet contacted the destination server. If the Web Proxy does not know the URL category, it cannot match the transparent HTTPS request to a Routing Policy that uses a URL category as membership criteria.




Appendix A Troubleshooting HTTPS/Decryption/Certificate Problems

As a result, transparently redirected HTTPS transactions only match Routing Policies that do not define Routing Policy Group membership criteria by URL category. If all user-defined Routing Policies define their membership by URL category, transparent HTTPS transactions match the Default Routing Policy Group.

HTTPS Request Failures• HTTPS with IP-based Surrogates and Transparent Requests

• Different Client “Hello” Behavior for Custom and Default Categories

HTTPS with IP-based Surrogates and Transparent Requests

If the HTTPS request comes from a client that does not have authentication information available from an earlier HTTP request, AsyncOS either fails the HTTPS request or decrypts the HTTPS request in order to authenticate the user, depending on how you configure the HTTPS Proxy. Use the HTTPS Transparent Request setting on the Security Services > HTTPS Proxy page to define this behavior. Refer to the Enabling HTTPS Proxy section in Decryption Policies chapter.

Different Client “Hello” Behavior for Custom and Default Categories

When scanning packet captures, you may notice that the “Client Hello” handshake is sent at different times for custom category and default (Web) category HTTPS Decryption pass-through policies.

For an HTTPS page passed through via the default category, the Client Hello is sent before receipt of a Client Hello from the requestor, and the connection fails. For an HTTPS page passed through via a custom URL category, the Client Hello is sent after the Client Hello is received from the requestor, and the connection is successful.

As a remedy, you can create a custom URL category with a pass-through action for SSL 3.0-only-compatible Web pages.

Bypassing Decryption for Particular WebsitesSome HTTPS servers do not work as expected when traffic to them is decrypted by a proxy server, such as the Web Proxy. For example, some websites and their associated web applications and applets, such as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the operating system certificate store.

You can bypass decryption for HTTPS traffic to these servers to ensure all users can access these types of sites.

Step 1 Create a custom URL category that contains the affected HTTPS servers by configuring the Advanced properties.

Step 2 Create a Decryption Policy that uses the custom URL category created in Step 1 as part of its membership, and set the action for the custom URL category to Pass Through.


Appendix A Troubleshooting Identity Services Engine Problems

Conditions and Restrictions for Exceptions to Blocking for Embedded and Referred Content

Referrer-based exceptions are supported only in Access policies. To use this feature with HTTPS traffic, before defining exceptions in Access policies, you must configure HTTPS decryption of the URL Categories that you will select for exception. However, this feature will not work under certain conditions:

• If the connection is tunneled and HTTPS decryption is not enabled, this feature will not work for requests going to HTTPS sites.

• According to RFC 2616, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and from information. The feature is exclusively dependent on the Referer header, and turning off sending them would cause our feature not to work.

• According to RFC 2616, clients should not include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol. So, any request from an HTTPS-based site to an HTTP-based site would not have the Referer header, causing this feature to not work as expected.

• When a Decryption policy is set up such that when a custom category matches the Decryption policy and the action is set to Drop, any incoming request for that category will be dropped, and no bypassing will be done.

Alert: Problem with Security CertificateTypically, the root certificate information you generate or upload in the appliance is not listed as a trusted root certificate authority in client applications. By default in most web browsers, when users send HTTPS requests, they will see a warning message from the client application informing them that there is a problem with the website’s security certificate. Usually, the error message says that the website’s security certificate was not issued by a trusted certificate authority or the website was certified by an unknown authority. Some other client applications do not show this warning message to users nor allow users to accept the unrecognized certificate.

Note Mozilla Firefox browsers: The certificate you upload must contain “basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows Firefox to recognize the root certificate as a trusted root authority.

Identity Services Engine Problems• Tools for Troubleshooting ISE Issues

• ISE Server Connection Issues

• ISE-related Critical Log Messages

Tools for Troubleshooting ISE IssuesThe following can be useful when troubleshooting ISE-related issues:



• The ISE test utility, used to test the connection to the ISE server, provides valuable connection-related information. This is the Start Test option on the Identity Services Engine page; see Connect to the ISE Services.

• ISE and Proxy Logs; see Monitor System Activity Through Logs.

• ISE-related CLI commands iseconfig and isedata, particularly isedata to confirm security group tag (SGT) download. See Web Security Appliance CLI Commands for additional information.

• The Web Tracking and Policy Trace functions can be used to debug policy match issues; for example, a user that should be allowed is blocked, and vice versa. See Web Tracking Page and Policy Troubleshooting Tool: Policy Trace for additional information.

• Packet Capture if Working With Support.

• For checking certificate status, you can use the openssl Online Certificate Status Protocol (ocsp) utility, available from www.openssl.org.

ISE Server Connection Issues

Certificate Issues

The WSA and the ISE server(s) use certificates to mutually authenticate for successful connection. Thus, each certificate presented by one entity should be recognizable by other. For example, if the WSA’s Client certificate is self-signed, the same certificate must be present in the trusted certificates list on the appropriate ISE server(s). Correspondingly, if the WSA Client certificate is CA-signed, then the CA root certificate must be present on the appropriate ISE server(s). Similar requirements apply to the ISE server-related Admin and pxGrid certificates.

Certificate requirements and installation are described in Integrate the Cisco Identity Services Engine. If you encounter certificate-related issues, check the following:

• If using CA-signed certificates:

– Verify that the root CA signing certificate(s) for the Admin and pxGrid certificates are present on the WSA.

– Verify that the root CA signing certificate for the WSA Client certificate is present in the trusted-certificates list on the ISE server.

• If using self-signed certificates:

– Verify that the WSA Client certificate—generated on the WSA and downloaded—has been uploaded to the ISE server and is present in the ISE servers trusted-certificates list.

– Verify that the ISE Admin and pxGrid certificates—generated on the ISE server and downloaded—have been uploaded to the WSA are present in the its certificate list.

• Expired certificates:

– Confirm that certificates which were valid when uploaded have not expired.

Log Output Indicating Certificate Issue

The following ISE-service log snippet shows a client-connection timeout due to a missing or invalid certificate.

www.openssl.org



These Trace-level log entries on the WSA show that after 30 seconds the attempts to connect to the ISE server are terminated.

Network Issues

• If connection to the ISE server fails during the Start Test on the Identity Services Engine page (Connect to the ISE Services), check connectivity to the configured ISE server on ports 443 and 5222.

Port 5222 is the official client-to-server Extensible Messaging and Presence Protocol (XMPP) port, and is used for connection to the ISE server; it is also used by applications such as Jabber and Google Talk. Note that some firewalls are configured to block port 5222.

Tools that can be used to check connectivity include tcpdump.

Other ISE Server Connectivity Issues

The following issues can cause failure when the WSA attempts to connect with the ISE server:

• Licenses on the ISE server have expired.

• The pxGrid node status is “not connected” on the ISE server’s Administration > pxGrid Services page. Be sure Enable Auto-Registration is selected on this page.

• Outdated WSA clients (specifically “test_client” or “pxgrid_client”) are present on the ISE server. These need to be deleted; see Administration > pxGrid Services > Clients on the ISE server.

• The WSA is attempting to connect to the ISE server before all its services are up and running.

Some changes on the ISE server, such as certificate updates, require the ISE server or services running on it to restart. Any attempt to connect to the ISE server during this time will fail; however, eventually the connection will succeed.

ISE-related Critical Log MessagesThis section contains explanations for ISE-related critical Log messages on the WSA:

• Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: Waiting for client connection timed out


Appendix A Troubleshooting Logging Problems

The WSA’s ISE process failed to connect to the ISE server for 30 seconds.

• Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: WSA Client cert/key missing. Please check ISE config

The WSA Client certificate and key were not uploaded or generated on the WSA’s Identity Service Engine configuration page.

• Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: ISE service exceeded maximum allowable disconnect duration with ISE server

The WSA’s ISE process could not connect to the ISE server for 120 seconds and exited.

• Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: Subscription to updates failed …

The WSA’s ISE process could not subscribe to the ISE server for updates.

• Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: Could not create ISE client: …

Internal error when creating the WSA’s ISE client for ISE server connection.

• Tue Mar 24 03:56:47 2015 Critical: ISEEngineManager: Bulk Download thread failed: …

Internal error indicating bulk download of SGTs failed on connection or re-connection.

• Tue Mar 24 03:56:47 2015 Critical: ISEService: Unable to start service. Error: …

The WSA’s ISE service failed to start.

• Tue Mar 24 03:56:47 2015 Critical: ISEService: Unable to send ready signal …

The WSA’s ISE service was unable to send a ready signal to heimdall.

• Tue Mar 24 03:56:47 2015 Critical: ISEService: Unable to send restart signal …

The WSA’s ISE service was unable to send a restart signal to heimdall.

Logging Problems• Custom URL Categories Not Appearing in Access Log Entries

• Logging HTTPS Transactions

• Alert: Unable to Maintain the Rate of Data Being Generated

• Problem Using Third-Party Log-Analyzer Tool with W3C Access Logs

Custom URL Categories Not Appearing in Access Log EntriesWhen a web access policy group has a custom URL category set to Monitor and some other component, such as the Web Reputation Filters or the DVS engine, makes the final decision to allow or block a request for a URL in the custom URL category, then the access log entry for the request shows the predefined URL category instead of the custom URL category.

Logging HTTPS TransactionsHTTPS transactions in the access logs appear similar to HTTP transactions, but with slightly different characteristics. What gets logged depends on whether the transaction was explicitly sent or transparently redirected to the HTTPS Proxy:

• TUNNEL. This gets written to the access log when the HTTPS request was transparently redirected to the HTTPS Proxy.


Appendix A Troubleshooting Policy Problems

• CONNECT. This gets written to the access log when the HTTPS request was explicitly sent to the HTTPS Proxy.

When HTTPS traffic is decrypted, the access logs contain two entries for a transaction:

• TUNNEL or CONNECT depending on the type of request processed.

• The HTTP Method and the decrypted URL. For example, “GET https://ftp.example.com”.

The full URL is only visible when the HTTPS Proxy decrypts the traffic.

Alert: Unable to Maintain the Rate of Data Being GeneratedAsyncOS for Web sends a critical email message to the configured alert recipients when the internal logging process drops web transaction events due to a full buffer.

By default, when the Web Proxy experiences a very high load, the internal logging process buffers events to record them later when the Web Proxy load decreases. When the logging buffer fills completely, the Web Proxy continues to process traffic, but the logging process does not record some events in the access logs or in the Web Tracking report. This might occur during a spike in web traffic.

However, a full logging buffer might also occur when the appliance is over capacity for a sustained period of time. AsyncOS for Web continues to send the critical email messages every few minutes until the logging process is no longer dropping data.

The critical message contains the following text:

Reporting Client: The reporting system is unable to maintain the rate of data being

generated. Any new data generated will be lost.

If AsyncOS for Web sends this critical message continuously or frequently, the appliance might be over capacity. Contact Cisco Customer Support to verify whether or not you need additional Web Security appliance capacity.

Problem Using Third-Party Log-Analyzer Tool with W3C Access LogsIf you want to use a third party log analyzer tool to read and parse the W3C access logs, you might need to include the “timestamp” field. The timestamp W3C field displays time since the UNIX epoch, and most log analyzers only understand time in this format.

Policy Problems• Access Policy not Configurable for HTTPS

• Blocked Object Problems

• Identification Profile Disappeared from Policy

• Policy Match Failures

• Policy Troubleshooting Tool: Policy Trace

• Also see: Accessing HTTPS Sites Using Routing Policies with URL Category Criteria



Access Policy not Configurable for HTTPSWith the HTTPS Proxy is enabled, Decryption Policies handle all HTTPS policy decisions. You can no longer define Access and Routing Policy group membership by HTTPS, nor can you configure Access Policies to block HTTPS transactions.

If some Access and Routing Policy group memberships are defined by HTTPS and if some Access Policies block HTTPS, then when you enable the HTTPS Proxy, those Access and Routing Policy groups become disabled. You can choose to enable the policies at any time, but all HTTPS related configurations are removed. (bugs 38046, 40843, 41282)

Blocked Object Problems• Some Microsoft Office Files Not Blocked

• Blocking DOS Executable Object Types Blocks Updates for Windows OneCare

Some Microsoft Office Files Not Blocked

When you block Microsoft Office files in the Block Object Type section, it is possible that some Microsoft Office files will not be blocked.

If you need to block all Microsoft Office files, add application/x-ole in the Block Custom MIME Types field. However, blocking this custom MIME type also blocks all Microsoft Compound Object format types, such as Visio files and some third-party applications.

Blocking DOS Executable Object Types Blocks Updates for Windows OneCare

When you configure the Web Security appliance to block DOS executable object types, the appliance also blocks updates for Windows OneCare.

Identification Profile Disappeared from PolicyDisabling an Identification Profile removes it from associated policies. Verify that the Identification Profile is enabled and then add it to the policy again.

Policy Match Failures• Policy is Never Applied

• HTTPS and FTP over HTTP Requests Match only Access Policies that Do Not Require Authentication

• User Matches Global Policy for HTTPS and FTP over HTTP Requests

• User Assigned Incorrect Access Policy



Policy is Never Applied

If multiple Identification Profiles have identical criteria, AsyncOS assigns the transactions to the first Identification Profile that matches. Therefore, transactions never match the additional, identical Identification Profiles, and any policies that apply to those subsequent, identical Identification Profiles are never matched or applied.

HTTPS and FTP over HTTP Requests Match only Access Policies that Do Not Require Authentication

Configure the appliance to use IP addresses as the surrogate when credential encryption is enabled.

When credential encryption is enabled and configured to use cookies as the surrogate type, authentication does not work with HTTPS or FTP over HTTP requests. This is because the Web Proxy redirects clients to the Web Proxy itself for authentication using an HTTPS connection if credential encryption is enabled. After successful authentication, the Web Proxy redirects clients back to the original website. In order to continue to identify the user, the Web Proxy must use a surrogate (either the IP address or a cookie). However, using a cookie to track users results in the following behavior if requests use HTTPS or FTP over HTTP:

• HTTPS. The Web Proxy must resolve the user identity before assigning a Decryption Policy (and therefore, decrypt the transaction), but it cannot obtain the cookie to identify the user unless it decrypts the transaction.

• FTP over HTTP. The dilemma with accessing FTP servers using FTP over HTTP is similar to accessing HTTPS sites. The Web Proxy must resolve the user identity before assigning an Access Policy, but it cannot set the cookie from the FTP transaction.

Therefore, HTTPS and FTP over HTTP requests will match only Access Policies that do not require authentication. Typically, they match the global Access Policy because it never requires authentication.

User Matches Global Policy for HTTPS and FTP over HTTP Requests

When the appliance uses cookie-based authentication, the Web Proxy does not get cookie information from clients for HTTPS and FTP over HTTP requests. Therefore, it cannot get the user name from the cookie.

HTTPS and FTP over HTTP requests still match the Identification Profile according to the other membership criteria, but the Web Proxy does not prompt clients for authentication even if the Identification Profile requires authentication. Instead, the Web Proxy sets the user name to NULL and considers the user as unauthenticated.

Then, when the unauthenticated request is evaluated against a policy, it matches only a policy that specifies “All Identities” and apply to “All Users.” Typically, this is the global policy, such as the global Access Policy.

User Assigned Incorrect Access Policy

• Clients on your network use Network Connectivity Status Indicator (NCSI)

• Web Security appliance uses NTLMSSP authentication.

• Identification Profile uses IP based surrogates

A user might be identified using the machine credentials instead of the user’s own credentials, and as a result, might be assigned to an incorrect Access Policy.

Workaround:



• Reduce the surrogate timeout value for machine credentials.

Step 1 Use the advancedproxyconfig > authentication CLI command.

Step 2 Enter the surrogate timeout for machine credentials.

Policy Troubleshooting Tool: Policy Trace• About the Policy Trace Tool

• Tracing Client Requests

• Advanced: Request Details

• Advanced: Response Detail Overrides

About the Policy Trace Tool

The Policy Trace Tool can emulate a client request and then detail how the Web Proxy processes that request. It can be used to trace client requests and debug policy processing when troubleshooting Web Proxy issues. You can perform a basic trace, or you can enter advanced trace settings and override options.

Note When you use the Policy Trace tool, the Web Proxy does not record the requests in the access log or reporting database.

The Policy Trace tool evaluates requests against polices used by the Web Proxy only. These are Access, Encrypted HTTPS Management, Routing, Data Security, and Outbound Malware Scanning polices.

Note SOCKS and External DLP polices are not evaluated by the Policy Trace tool.

Tracing Client Requests

Note You can use the CLI command maxhttpheadersize to change the maximum HTTP header size for proxy requests. Increasing this value can alleviate Policy Trace failures that can occur when the specified user belongs to a large number of authentication groups, or when the response header is larger than the current maximum header size. See Web Security Appliance CLI Commands, page B-6 for more information about this command.

Step 1 Choose System Administration > Policy Trace.

Step 2 Enter the URL you wish to trace to in the Destination URL field.

Step 3 (Optional) Enter additional emulation parameters:



Step 4 Click Find Policy Match.

The Policy Trace output is displayed in the Results pane.

Note For a Pass Through HTTPS transaction, the Policy Trace tool bypasses further scanning and no Access policy is associated with the transaction. Similarly, for a Decrypt HTTPS transaction, the tool cannot actually decrypt the transaction to determine the applied Access policy. In both cases, as well as for Drop transactions, the trace results display: “Access policy: Not Applicable.”

Related Topics

• Advanced: Request Details, page A-18

• Advanced: Response Detail Overrides, page A-19

Advanced: Request Details

You can use the settings in the Request Details pane of the Policy Trace page, Advanced section, to tune the outbound malware scan request for this policy trace.

Step 1 Expand the Advanced section on the Policy Trace page.

Step 2 Complete the fields in the Request Details pane as required:

To emulate... Enter...

The client source IP used to make the request. An IP address in the Client IP Address field.

Note If an IP address is not specified, AsyncOS uses localhost. Also, SGTs (security group tags) cannot be fetched and policies based on SGTs will not be matched.

The authentication/identification credentials used to make the request.

A user name in the User Name field, and then choose Identity Services Engine or an authentication realm from the Authentication/Identification drop-down list.

Note Only enabled option(s) are available. That is, authentication options and the ISE option are available only if they are both enabled.

For authentication of the user you enter here, the user must have already successfully authenticated through the Web Security appliance.

Setting Description

Proxy Port Select a specific proxy port to use for the trace request to test policy membership based on proxy port.

User Agent Specify the User Agent to simulate in the request.

Time of Request Specify the Date and Time of day to simulate in the request.





Advanced: Response Detail Overrides

You can use the settings in the Response Detail Overrides pane of the Policy Trace page, Advanced section, to “tweak” aspects of the Web Access Policies response for this trace.

Step 1 Expand the Advanced section on the Policy Trace page.

Step 2 Complete the fields in the Response Detail Overrides pane as required:



Upload File Choose a local file to simulate uploading in the request.

When you specify a file to upload here, the Web Proxy simulates an HTTP POST request instead of a GET request.

Object Size Enter the size of the request object in bytes. You can enter K, M, or G to represent Kilobytes, Megabytes, or Gigabytes.

MIME Type Enter the MIME type.

Anti-malware Scanning Verdicts

To override a Webroot, McAfee, or Sophos scanning verdict, choose the specific type of verdict to be overridden.

Setting Description

Setting Description

URL Category Use this setting to override the URL transaction category of the trace response. Choose a category which is to replace the URL category in the response results.

Application Similarly, use this setting to override the application category of the trace response. Choose a category which is to replace the application category in the response results.

Object Size Enter a size for the response object in bytes. You can enter K, M, or G to represent Kilobytes, Megabytes, or Gigabytes.

MIME Type Enter a MIME type.

Web Reputation Score Enter a web reputation score from -10.0 to 10.0.

Anti-malware Scanning Verdicts

Use these options to override specific anti-malware scanning verdicts provided in the trace response. Choose verdicts which are to replace the Webroot, McAfee, and Sophos scanning verdicts in the response results.


Appendix A Troubleshooting Problems with File Reputation and File Analysis

Problems with File Reputation and File Analysis See Troubleshooting File Reputation and Analysis, page 14-14.

Reboot Issues• Virtual Appliance Running on KVM Hangs on Reboot

• Hardware Appliances: Remotely Resetting Appliance Power

Virtual Appliance Running on KVM Hangs on Reboot

Note This is a KVM issue and may change at any time.

For more information, see https://www.mail-archive.com/[email protected]/msg103854.html and https://bugs.launchpad.net/qemu/+bug/1329956.

Step 1 Check the following:

cat /sys/module/kvm_intel/parameters/enable_apicv

Step 2 If the above value is set to Y:

a. Stop your virtual appliances and reinstall the KVM kernel module:

rmmod kvm_intel

modprobe kvm_intel enable_apicv=N

b. Restart your virtual appliance.

Hardware Appliances: Remotely Resetting Appliance Power If a hardware appliance requires a hard reset, you can reboot the appliance chassis remotely using a third-party Intelligent Platform Management Interface (IPMI) tool.

Restrictions

• Remote power cycling is available only on certain hardware. For specifics, see Enabling Remote Power Cycling, page 22-5.

• If you want be able to use this feature, you must enable it in advance, before you need to use it. For details, see Enabling Remote Power Cycling, page 22-5.

• Only the following IPMI commands are supported: status, on, off, cycle, reset, diag, soft. Issuing unsupported commands will produce an “insufficient privileges” error.

Before You Begin

• Obtain and set up a utility that can manage devices using IPMI version 2.0.

• Understand how to use the supported IPMI commands. See the documentation for your IPMI tool.

https://www.mail-archive.com/[email protected]/msg103854.html


Appendix A Troubleshooting Site Access Problems

Step 1 Use IPMI to issue a supported power-cycling command to the IP address assigned to the Remote Power Cycle port, which you configured earlier, along with the required credentials.

For example, from a UNIX-type machine with IPMI support, you might issue the command:

ipmitool -I lan -H 192.0.2.1 -U remoteresetuser -P passphrase chassis power reset

where 192.0.2.1 is the IP address assigned to the Remote Power Cycle port and remoteresetuser and passphrase are the credentials that you entered while enabling this feature.

Step 2 Wait at least eleven minutes for the appliance to reboot.

Site Access Problems• Cannot Access URLs that Do Not Support Authentication

• Cannot Access Sites With POST Requests

• Also see: Bypassing Decryption for Particular Websites

Cannot Access URLs that Do Not Support AuthenticationThis is a partial list of applications cannot be used when the Web Security appliance is deployed in transparent mode because they do not support authentication.

• Mozilla Thunderbird

• Adobe Acrobat Updates

• HttpBridge

• Subversion, by CollabNet

• Microsoft Windows Update

• Microsoft Visual Studio

Workaround: Create a class of user for the URL that does not require authentication.

Related Topics


Cannot Access Sites With POST Requests When the user’s first client request is a POST request and the user still needs to authenticate, the POST body content is lost. This might be a problem when the POST request is for a application with the Access Control single sign-on feature in use.

Workarounds:

• Have users first authenticate with the Web Proxy by requesting a different URL through the browser before connecting to a URL that uses POST as a first request.

• Bypass authentication for URLs that use POST as a first request.


Appendix A Troubleshooting Upstream Proxy Problems

Note When working with Access Control, you can bypass authentication for the Assertion Consumer Service (ACS) URL configured in the Application Authentication Policy.

Related Topics

• Bypassing Authentication, page 5-31.

Upstream Proxy Problems• Upstream Proxy Does Not Receive Basic Credentials

• Client Requests Fail Upstream Proxy

Upstream Proxy Does Not Receive Basic CredentialsIf both the appliance and the upstream proxy use authentication with NTLMSSP, depending on the configurations, the appliance and upstream proxy might engage in an infinite loop of requesting authentication credentials. For example, if the upstream proxy requires Basic authentication, but the appliance requires NTLMSSP authentication, then the appliance can never successfully pass Basic credentials to the upstream proxy. This is due to limitations in authentication protocols.

Client Requests Fail Upstream ProxyConfiguration:

• Web Security appliance and upstream proxy server use Basic authentication.

• Credential Encryption is enabled on the downstream Web Security appliance.

Client requests fail on the upstream proxy because the Web Proxy receives an “Authorization” HTTP header from clients, but the upstream proxy server requires a “Proxy-Authorization” HTTP header.

Unable to Route FTP Requests Via an Upstream ProxyIf your network contains an upstream proxy that does not support FTP connections, then you must create a Routing Policy that applies to all Identities and to just FTP requests. Configure that Routing Policy to directly connect to FTP servers or to connect to a proxy group whose proxies all support FTP connections.

Virtual Appliances • Do Not Use Force Reset, Power Off, or Reset Options During AsyncOS Startup

• Network Connectivity on KVM Deployments Works Initially, Then Fails

• Slow Performance, Watchdog Issues, and High CPU Usage on KVM Deployments

• General Troubleshooting for Virtual Appliances Running on Linux Hosts


Appendix A Troubleshooting WCCP Problems

Do Not Use Force Reset, Power Off, or Reset Options During AsyncOS Startup The following actions on your virtual host are the equivalent of pulling the plug on a hardware appliance and are not supported, especially during AsyncOS startup:

• In KVM, the Force Reset option.

• In VMWare, the Power Off and Reset options. (These options are safe to use after the appliance has come up completely.)

Network Connectivity on KVM Deployments Works Initially, Then Fails

Problem Network connectivity is lost after previously working.

Solution This is a KVM issue. See the section on "KVM: Network connectivity works initially, then fails" in the OpenStack documentation at http://docs.openstack.org/admin-guide-cloud/content/section_network-troubleshoot.html.

Slow Performance, Watchdog Issues, and High CPU Usage on KVM Deployments

Problem Appliance performance is slow, watchdog issues occur, and the appliance shows unusually high CPU usage when running on an Ubuntu virtual machine.

Solution Install the latest Host OS updates from Ubuntu.

General Troubleshooting for Virtual Appliances Running on Linux Hosts

Problem Issues with virtual appliances running on KVM deployments may be related to host OS configuration issues.

Solution See the troubleshooting section and other information in the Virtualization Deployment and Administration Guide, available from https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Virtualization_Deployment_and_Administration_Guide/Red_Hat_Enterprise_Linux-7-Virtualization_Deployment_and_Administration_Guide-en-US.pdf.

WCCP Problems• Maximum Port Entries

Maximum Port EntriesIn deployments using WCCP, the maximum number of port entries is 30 for HTTP, HTTPS, and FTP ports combined.

http://docs.openstack.org/admin-guide-cloud/content/section_network-troubleshoot.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Virtualization_Deployment_and_Administration_Guide/Red_Hat_Enterprise_Linux-7-Virtualization_Deployment_and_Administration_Guide-en-US.pdf

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Virtualization_Deployment_and_Administration_Guide/Red_Hat_Enterprise_Linux-7-Virtualization_Deployment_and_Administration_Guide-en-US.pdf


Appendix A Troubleshooting Packet Capture

Packet Capture• Starting a Packet Capture

• Managing Packet Capture Files

The appliance provides the ability to capture and display TCP/IP and other packets being transmitted or received over the network to which the appliance is attached.

Note The packet capture feature is similar to the Unix tcpdump command.

Starting a Packet Capture

Step 1 Choose Support and Help > Packet Capture.

Step 2 (Optional) Click Edit Settings to change the packet capture settings.

(Optional) Submit and commit your packet capture changes.

Note When you change the packet capture settings without committing the changes and then start a packet capture, AsyncOS uses the new settings. This allows you to use the new settings in the current session without enforcing the settings for future packet capture runs. The settings remain in effect until you clear them.

Option Description

Capture File Size Limit Specifies the maximum size that the capture file can reach. One the limit is reached, the data will be discarded and a new file started, unless the Capture Duration setting is 'Run Capture Until File Size Limit Reached.'

Capture Duration Options for if and when the capture automatically stops. Choose from:

• Run Capture Until File Size Limit Reached. The capture runs until the file limit set above is reached.

• Run Capture Until Time Elapsed Reaches. The capture runs for a specified duration. If you enter the amount of time without specifying the units, AsyncOS uses seconds by default.

• Run Capture Indefinitely. The packet capture runs until you manually stop it.

Note The capture can be ended manually at any time.

Interfaces The interfaces from which traffic will be captured.

Filters The filtering options to apply when capturing packets. Filtering allows you to capture required packets only. Choose from:

• No Filters. All packets will be captured.

• Predefined Filters. The predefined filters provide filtering by port and/or IP addresses. If left blank, all traffic will be captured.

• Custom Filter. Use this option if you already know the exact syntax of the packet capture options that you need. Use standard tcpdump syntax.


Appendix A Troubleshooting Working With Support

Step 3 Click Start Capture. To manually stop a running capture, click Stop Capture.

Managing Packet Capture FilesThe appliance saves the captured packet activity to a file and stores the file locally. You can send packet capture files using FTP to Cisco Customer Support for debugging and troubleshooting purposes.

• Downloading or Deleting Packet Capture Files

Downloading or Deleting Packet Capture Files

Note You can also connect to the appliance using FTP and retrieving packet capture files from the captures directory.

Step 1 Choose Support and Help > Packet Capture.

Step 2 Select the packet capture file you wish to use from the Manage Packet Capture Files pane. If this pane is not visible then no packet capture files have been stored on the appliance.

Step 3 Click Download File or Delete Selected Files as required.

Working With Support • Gathering Information for Efficient Service, page A-25

• Opening a Technical Support Request, page A-25

• Getting Support for Virtual Appliances, page A-26

• Enabling Remote Access to the Appliance, page A-27

Gathering Information for Efficient Service Before contacting Support:

• Enable custom logging fields as described in General Troubleshooting Best Practices, page A-1.

• Consider doing a packet capture. See Packet Capture, page A-24.

Opening a Technical Support RequestYou can use the appliance to send a non-urgent request for assistance to Cisco Customer Support. When the appliance sends the request, it also sends the configuration of the appliance. The appliance must be able to send mail to the Internet to send a support request.



Note If you have an urgent issue, please call a Cisco Worldwide Support Center.

Before You Begin

• Verify that your Cisco.com user ID is associated with your service agreement contract for this appliance. To view a list of service contracts that are currently associated with your Cisco.com profile, visit the Cisco.com Profile Manager at https://sso.cisco.com/autho/forms/CDClogin.html. If you do not have a Cisco.com user ID, register to get one.

Step 1 Choose Support And Help > Contact Technical Support.

Step 2 (Optional) Choose additional recipients for the request. By default, the support request and configuration file is sent to Cisco Customer Support.

Step 3 Enter your contact information.

Step 4 Enter the issue details.

• If you have a customer support ticket already for this issue, enter it.

Step 5 Click Send. A trouble ticket is created with Cisco.

Getting Support for Virtual Appliances

If you file a support case for a Cisco content security virtual appliance, you must provide your Virtual License Number (VLN), your contract number, and your Product Identifier code (PID).

You can identify your PID based on the software licenses running on your virtual appliance, by referencing your purchase order, or from the following table:

Functionality PID Description

Web Security Essentials WSA-WSE-LIC= Includes:

• Web Usage Controls

• Web Reputation

Web Security Premium WSA-WSP-LIC= Includes:

• Web Usage Controls

• Web Reputation

• Sophos and Webroot Anti-Malware signatures

Web Security Anti-Malware WSA-WSM-LIC= Includes Sophos and Webroot Anti-Malware signatures

McAfee Anti-Malware WSA-AMM-LIC= —

Advanced Malware Protection WSA-AMP-LIC= —

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html#telephone



Enabling Remote Access to the Appliance The Remote Access option allows Cisco Customer Support to remotely access your appliance for support purposes.

Step 1 Choose Support And Help > Remote Access.

Step 2 Click Enable.

Step 3 Complete the Customer Support Remote Access options:


Step 5 Look for the seed string in the Success message near the top of the page and make a note of it.

For security reasons, this string is not stored on the appliance and there is no way to locate this string later.

Keep this seed string in a safe place.

Step 6 Give the seed string to your Support representative.

Option Description

Seed String If you enter a string, the string should not match any existing or future pass phrase.

The string will appear near the top of the page after you click Submit.

You will give this string to your support representative.

Secure Tunnel (recommended)

Specifies whether or not to use a secure tunnel for remote access connections.

When enabled, the appliance creates an SSH tunnel over the specified port to the server upgrades.ironport.com, over port 443 (by default). Once a connection is made, Cisco Customer Support is able to use the SSH tunnel to obtain access to the appliance.

Once the techsupport tunnel is enabled, it will remain connected to upgrades.ironport.com for 7 days. After 7 days, no new connections can be made using the techsupport tunnel, though any existing connections will continue to exist and work.

The Remote Access account will remain active until specifically deactivated.



B-1AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide

A P P E N D I X BCommand Line Interface

• Overview of the Command Line Interface, page 27-1

• Accessing the Command Line Interface, page 27-1

• General Purpose CLI Commands, page 27-4

• Web Security Appliance CLI Commands, page 27-6

Overview of the Command Line Interface The AsyncOS Command Line Interface (CLI) allows you to configure and monitor the Web Security appliance. The Command Line Interface is accessible using SSH on IP interfaces that have been configured with these services enabled, or using terminal emulation software on the serial port. By default, SSH is configured on the Management port.

The commands are invoked by entering the command name with or without any arguments. If you enter a command without arguments, the command prompts you for the required information.

Accessing the Command Line InterfaceYou can connect using one of the following methods:

• Ethernet. Start an SSH session with the IP address of the Web Security appliance. The factory default IP address is 192.168.42.42. SSH is configured to use port 22.

• Serial connection. Start a terminal session with the communication port on your personal computer that the serial cable is connected to.

First AccessYou can add other users with differing levels of permissions after you have accessed the CLI the first time using the admin account—log in to the appliance by entering the default admin user name and passphrase:



The System Setup Wizard prompts you to change the passphrase for the admin account the first time you log in with the default passphrase.

You can also reset the admin account passphrase at any time using the passwd command.


Appendix B Command Line Interface Accessing the Command Line Interface

Subsequent AccessYou can connect and log into the appliance at any time, using a valid user name and passphrase. Note that a listing of recent appliance access attempts, both successes and failures, for the current user name is displayed automatically upon log-in.

See the following userconfig command description, or Administering User Accounts, page 22-6 for information about configuring additional users.

Working with the Command PromptThe top-level command prompt consists of the fully qualified hostname, followed by the greater than (>) symbol, followed by a space. For example:

When running commands, the CLI requires input from you. When the CLI is expecting input, the prompt displays the default values enclosed in square brackets ([]) followed by the greater than (>) symbol. When there is no default value, the brackets are empty.

For example:

When there is a default setting, the setting is displayed within the command-prompt brackets. For example:

When a default setting is shown, typing Return is equivalent to accepting the default:

Command SyntaxWhen operating in the interactive mode, the CLI command syntax consists of single commands with no white space and no arguments or parameters. For example:

example.com>

example.com> routeconfig

Choose a routing table:- MANAGEMENT - Routes for Management Traffic- DATA - Routes for Data Traffic[]>

example.com> setgateway

Warning: setting an incorrect default gateway may cause the current connectionto be interrupted when the changes are committed.Enter new default gateway:[172.xx.xx.xx]>

example.com> logconfig


Appendix B Command Line Interface Accessing the Command Line Interface

Select ListsWhen you are presented with multiple choices for input, some commands use numbered lists. Enter the number of the selection at the prompt.

For example:

Yes/No QueriesWhen given a yes or no option, the question is posed with a default in brackets. You may answer Y, N, Yes, or No. Case is not significant.

For example:

SubcommandsSome commands give you the opportunity to use subcommand directives such as NEW, EDIT, and DELETE. The EDIT and DELETE functions provide a list of previously configured values.

For example:

Within subcommands, typing Enter or Return at an empty prompt returns you to the main command.

Log level:1. Critical2. Warning3. Information4. Debug5. Trace[3]> 3

Do you want to enable the proxy? [Y]> Y

example.com> interfaceconfig

Currently configured interfaces:

1. Management (172.xxx.xx.xx/xx: example.com)

Choose the operation you want to perform:

- NEW - Create a new interface.

- EDIT - Modify an interface.

- DELETE - Remove an interface.

[]>


Appendix B Command Line Interface General Purpose CLI Commands

Escaping Subcommands

You can use the Ctrl+C keyboard shortcut at any time within a subcommand to immediately exit return to the top level of the CLI.

Command HistoryThe CLI keeps a history of all commands entered during a session. Use the Up and Down arrow keys on your keyboard, or the Ctrl+P and Ctrl+N key combinations to scroll through a running list of the recently-used commands.

Completing CommandsThe AsyncOS CLI supports command completion. You can enter the first few letters of some commands followed by the Tab key and the CLI completes the string. If the letters you entered are not unique among commands, the CLI “narrows” the set. For example:

Committing Configuration Changes Using the CLI • Many configuration changes do not take effect until you commit them.

• The commit command allows you to change configuration settings while other operations proceed normally.

• To successfully commit changes, you must be at the top-level command prompt. Type Return at an empty prompt to move up one level in the command line hierarchy.

• Changes to configuration that have not been committed are recorded, but do not go into effect until you run the commit command. However, not all commands require the commit command to be run. Exiting the CLI session, system shutdown, reboot, failure, or issuing the clear command clears changes that have not yet been committed.

• Changes are not actually committed until you receive confirmation and a timestamp.

General Purpose CLI CommandsThis section describes some basic commands you might use in a typical CLI session, such as committing and clearing changes.

example.com> set (press the Tab key)setgateway, setgoodtable, sethostname, settime, settzexample.com> seth (pressing the Tab again completes the entry with sethostname)


Appendix B Command Line Interface General Purpose CLI Commands

CLI Example: Committing Configuration ChangesEntering comments after the commit command is optional.

CLI Example: Clearing Configuration ChangesThe clear command clears any changes made to the appliance configuration since the last commit or clear command was issued.

CLI Example: Exiting the Command Line Interface SessionThe exit command logs you out of the CLI application. Configuration changes that have not been committed are cleared.

CLI Example: Seeking Help on the Command Line InterfaceThe help command lists all available CLI commands and gives a brief description of each command. The help command can be invoked by typing either help or a single question mark (?) at the command prompt.

Further, you can access help for a specific command by entering help commandname.

example.com> commit

Please enter some comments describing your changes:

[]> Changed “psinet” IP Interface to a different IP address

Changes committed: Wed Jan 01 12:00:01 2007

example.com> clear

Are you sure you want to clear all changes since the last commit? [Y]> y

Changes cleared: Wed Jan 01 12:00:01 2007

example.com>

example.com> exit

Configuration changes entered but not committed. Exiting will lose changes.

Type 'commit' at the command prompt to commit changes.

Are you sure you wish to exit? [N]> y

example.com> help


Appendix B Command Line Interface Web Security Appliance CLI Commands

Related Topics

• Web Security Appliance CLI Commands, page 27-6.

Web Security Appliance CLI CommandsThe Web Security Appliance CLI supports a set of proxy and UNIX commands to access, upgrade, and administer the system.

Note Not all CLI commands are applicable/available in all operating modes (Standard, and Cloud Web Security Connector).

Command Description

advancedproxyconfig Configure advanced Web Proxy configurations; subcommands are:

AUTHENTICATION – Authentication configuration options:

• When would you like to forward authorization request headers to a parent proxy

• Enter the Proxy Authorization Realm to be displayed in the end user authentication dialog

• Would you like to log the username that appears in the request URI

• Should the Group Membership attribute be used for directory lookups in the Web UI (when it is not used, empty groups and groups with different membership attributes will be displayed)

• Would you like to use advanced Active Directory connectivity checks

• Would you like to allow case insensitive username matching in policies

• Would you like to allow wild card matching with the character * for LDAP group names

• Enter the charset used by the clients for basic authentication [ISO-8859-1/UTF-8]

• Would you like to enable referrals for LDAP

• Would you like to enable secure authentication

• Enter the hostname to redirect clients for authentication

• Enter the surrogate timeout for user credentials

• Enter the surrogate timeout for machine credentials

• Enter the surrogate timeout in the case traffic permitted due to authentication service unavailability

• Enter re-auth on request denied option [disabled / embedlinkinblockpage]

• Would you like to send Negotiate header along with NTLM header for NTLMSSP authentication

• Configure username and IP address masking in logs and reports



advancedproxyconfig

(cont.)CACHING – Proxy Caching mode; choose one:

• Safe Mode

• Optimized Mode

• Aggressive Mode

• Customized Mode

See also Choosing The Web Proxy Cache Mode, page 4-7.

DNS – DNS configuration options:

• Enter the URL format for the HTTP 307 redirection on DNS lookup failure

• Would you like the proxy to issue a HTTP 307 redirection on DNS lookup failure

• Would you like proxy not to automatically failover to DNS results when upstream proxy (peer) is unresponsive

• Find web server by:

0 = Always use DNS answers in order

1 = Use client-supplied address then DNS

2 = Limited DNS usage

3 = Very limited DNS usage

For options 1 and 2, DNS will be used if Web Reputation is enabled. For options 2 and 3, DNS will be used for explicit proxy requests, if there is no upstream proxy or in the event the configured upstream proxy fails. For all options, DNS will be used when Destination IP Addresses are used in policy membership.

EUN – End-user notification parameters:

• Choose:

1. Refresh EUN pages

2. Use Custom EUN pages

3. Use Standard EUN pages

• Would you like to turn on presentation of the User Acknowledgement page?

See also Web Proxy Usage Agreement, page 4-11 and End-User Notifications Overview, page 17-1.

NATIVEFTP – Native FTP configuration:

• Would you like to enable FTP proxy

• Enter the ports that FTP proxy listens on

• Enter the range of port numbers for the proxy to listen on for passive FTP connections

• Enter the range of port numbers for the proxy to listen on for active FTP connections

• Enter the authentication format:

1. Check Point

2. No Proxy Authentication

3. Raptor

• Would you like to enable caching

• Would you like to enable server IP spoofing

• Would you like to pass FTP server welcome message to the clients

• Enter the max path size for the ftp server directory

See also Overview of FTP Proxy Services, page 4-14.



advancedproxyconfig

(continued)FTPOVERHTTP – FTP Over HTTP options:

• Enter the login name to be used for anonymous FTP access

• Enter the password to be used for anonymous FTP access

See also Overview of FTP Proxy Services, page 4-14.

HTTPS – HTTPS-related options:

• HTTPS URI Logging Style - fulluri or stripquery

• Would you like to decrypt unauthenticated transparent HTTPS requests for authentication purpose

• Would you like to decrypt HTTPS requests for End User Notification purpose

• Action to be taken when HTTPS servers ask for client certificate during handshake:

1. Pass through the transaction

2. Reply with certificate unavailable

• Do you want to enable server name indication (SNI) extension?

• Do you want to enable automatic discovery and download of missing Intermediate Certificates?

• Do you want to enable session resumption?

See also Overview of Create Decryption Policies to Control HTTPS Traffic, page 11-1.

SCANNING – Scanning options:

• Would you like the proxy to do malware scanning all content regardless of content type

• Enter the time to wait for a response from an anti-malware scanning engine (Sophos, McAfee, or Webroot), in seconds

• Do you want to disable Webroot body scanning

See also Overview of Anti-Malware Scanning, page 13-4 and Overview of Scanning Outbound Traffic, page 12-1.

PROXYCONN – Manage the list of user agents that cannot accept the proxy connection header. The list entries are interpreted as regular expressions in Flex (Fast Lexical Analyzer) dialect. A user agent will be matched if any substring of it matches any regular expression in the list.

• Choose the operation you want to perform:NEW - Add an entry to the list of user agents

DELETE - Remove an entry from the list

CUSTOMHEADERS – Manage custom request headers for specific domains.

• Choose the operation you want to perform:DELETE - Delete entries

NEW - Add new entries

EDIT - Edit entries

See also Adding Custom Headers To Web Requests, page 4-9.



advancedproxyconfig

(continued)MISCELLANEOUS – Miscellaneous proxy-related parameters:

• Would you like proxy to respond to health checks from L4 switches (always enabled if WSA is in L4 transparent mode)

• Would you like proxy to perform dynamic adjustment of TCP receive window size

• Would you like proxy to perform dynamic adjustment of TCP send window size

• Enable caching of HTTPS responses

• Enter minimum idle timeout for checking unresponsive upstream proxy (in seconds)

• Enter maximum idle timeout for checking unresponsive upstream proxy (in seconds)

• Mode of the proxy:

1. Explicit forward mode only

2. Transparent mode with L4 Switch or no device for redirection

3. Transparent mode with WCCP v2 Router for redirection

• Spoofing of the client IP by the proxy:

1. Disable

2. Enable for all requests

3. Enable for transparent requests only

• Do you want to pass HTTP X-Forwarded-For headers?

• Would you like to permit tunneling of non-HTTP requests on HTTP ports?

• Would you like to block tunneling of non-SSL transactions on SSL Ports?

• Would you like proxy to log values from X-Forwarded-For headers in place of incoming connection IP addresses?

• Do you want proxy to throttle content served from cache?

• Would you like the proxy to use client IP addresses from X-Forwarded-For headers

• Do you want to forward TCP RST sent by server to client?

• Do you want to enable URL lower case conversion for velocity regex?

See also Using the P2 Data Interface for Web Proxy Data, page 2-21 and Configuring Web Proxy Settings, page 4-3.

SOCKS – SOCKS Proxy options:

• Would you like to enable SOCKS proxy

• Proxy Negotiation Timeout

• UDP Tunnel Timeout

• SOCKS Control Ports

• UDP Request Ports

See also Using the P2 Data Interface for Web Proxy Data, page 2-21 and SOCKS Proxy Services, page 4-16.



advancedproxyconfig

(continued)CONTENT-ENCODING – Allow and block content-encoding types.

Currently allowed content-encoding type(s): compress, deflate, gzip

Currently blocked content-encoding type(s): N/A

To change the setting for a specific content-encoding type, select an option:

1. compress

2. deflate

3. gzip

[1]>

The encoding type "compress" is currently allowed

Do you want to block it? [N]>

adminaccessconfig You can configure the Web Security appliance to have stricter access requirements for administrators logging into the appliance.

alertconfig Specify alert recipients, and set parameters for sending system alerts.

authcache Allows you to delete one or all entries (users) from the authentication cache. You can also list all users currently included in the authentication cache.

bwcontrol Enable bandwidth control debug messages in the Default Proxy log file.

certconfig Configure security certificates and keys.

clear Clears pending configuration changes since last commit.

commit Commits pending changes to the system configuration.

createcomputerobject Creates a computer object at the location you specify.

datasecurityconfig Defines a minimum request body size, below which upload requests are not scanned by the Cisco IronPort Data Security Filters.

date Displays the current date. Example:

Thu Jan 10 23:13:40 2013 GMT



diagnostic Proxy- and reporting-related subcommands:

NET – Network Diagnostic Utility

This command has been deprecated; use packetcapture to capture network traffic on the appliance.

PROXY – Proxy Debugging Utility


– SNAP – Take a snapshot of the proxy

– OFFLINE – Take the proxy off-line (via WCCP)

– RESUME – Resume proxy traffic (via WCCP)

– CACHE – Clear proxy cache

REPORTING – Reporting Utilities

The reporting system is currently enabled.


– DELETEDB – Re-initialize the reporting database

– DISABLE – Disable the reporting system

– DBSTATS – List DB and Export Files (Displays the list of unprocessed files and folders under export_files and always_onbox folders.)

– DELETEEXPORTDB – Delete Export Files (Deletes all unprocessed files and folders under export_files and always_onbox folders.)

– DELETEJOURNAL – Delete Journal Files(Deletes all aclog_journal_files.)

dnsconfig Configure DNS server parameters.

dnsflush Flush DNS entries on the appliance.

etherconfig Configure Ethernet port connections.

externaldlpconfig Defines a minimum request body size, below which upload requests are not scanned by the external DLP server.

featurekey Submits valid keys to activate licensed features.

featurekeyconfig Automatically check for and update feature keys.

grep Searches named input files for lines containing a match to the given pattern.

help Returns a list of commands.

iccm_message Clears the message in the web interface and CLI that indicates when this Web Security appliance is managed by a Security Management appliance (M-Series).

ifconfigorinterfaceconfig

Configure and manage network interfaces including M1, P1, and P2. Displays currently configured interfaces, and provides an operations menu to create, edit, or delete interfaces.



iseconfig Displays current ISE configuration parameters; specify an ISE configuration operation to perform:

• setup – Configure ISE settings: enable/disable, ISE server name or IPv4 address, proxy cache timeout, statistics back-up interval.

isedata Specify an ISE data-related operation:

statistics – Show ISE server status and ISE statistics.

cache – Show the ISE cache, or check an IP address:

show – Show the ISE ID cache.

checkip – Query the local ISE cache for an IP address.

sgts – Show the ISE Secure Group Tag (SGT) table.

last Lists user-specific user information that includes ttys and hosts, in reverse time order or lists the users that are logged in at a specified date and time.

loadconfig Load a system configuration file.

logconfig Configure access to log files.

mailconfig Mail the current configuration file to the address specified.

maxhttpheadersize Set the maximum HTTP header size for proxy requests; enter the value in bytes, or append a K to the number to indicate kilobytes.

Policy Trace can fail for a user that belongs to a large number of authentication groups. It can also fail if the HTTP response header size is greater than the current “max header size.” Increasing this value can alleviate such failures. Minimum value is 32 KB; default value is 32 KB; maximum value is 1024 KB.

musconfig Use this command to enable Secure Mobility and configure how to identify remote users, either by IP address or by integrating with one or more Cisco adaptive security appliances.

Note Changes made using this command cause the Web Proxy to restart.

musstatus Use this command to display information related to Secure Mobility when the Web Security appliance is integrated with an adaptive security appliance.

This command displays the following information:

• The status of the Web Security appliance connection with each adaptive security appliance.

• The duration of the Web Security appliance connection with each adaptive security appliance in minutes.

• The number of remote clients from each adaptive security appliance.

• The number of remote clients being serviced, which is defined as the number of remote clients that have passed traffic through the Web Security appliance.

• The total number of remote clients.



networktuning The WSA utilizes several buffers and optimization algorithms to handle hundreds of TCP connections simultaneously, providing high performance for typical Web traffic—that is, short-lived HTTP connections.

In certain situations, such as frequent downloading of large files (100+ MB), larger buffers can provide better per-connection performance. However, overall memory usage will increase, and thus any buffer increases should be in line with the memory available on the system.

The send- and receive-space variables represent the buffers used for storing data for communications over any given TCP socket. The send- and receive-auto variables are used to enable and disable the FreeBSD auto-tuning algorithm for dynamically controlling window size. These two parameters are applied directly in the FreeBSD kernel.

See Upload/Download Speed Issues, page A-6 for additional information about using this command.

The networktuning subcommands are:

SENDSPACE – TCP send-space buffer size; range is from 8192 to 131072 bytes; the default is 16000 bytes.

RECVSPACE – TCP receive-space buffer size; range is from 8192 to 131072 bytes; the default is 32768 bytes.

SEND-AUTO – Enable/disable TCP send auto-tuning; 1 = On, 0 = Off; default is Off. If you enable TCP send auto-tuning, be sure to use advancedproxyconfig > miscellaneous > Would you like proxy to perform dynamic adjustment of TCP send window size? to disable send buffer auto-tuning.

RECV-AUTO – Enable/disable TCP receive auto-tuning; 1 = On, 0 = Off; default is Off. If you enable TCP receive auto-tuning, be sure to use advancedproxyconfig > miscellaneous > Would you like proxy to perform dynamic adjustment of TCP receive window size? to disable receive buffer auto-tuning.

MBUF CLUSTER COUNT – Change the number of available mbuf clusters; acceptable range is from 98304 to 1572864. The value should vary according to installed system memory, using this calculation: 98304 * (X/Y) where is X is gigabytes of RAM on the system and Y is 4 GB. For example, with 4 GB RAM, the recommended value is 98304 * (4/4) = 98304. Linear scaling is recommended as RAM increases.

SENDBUF-MAX – Specify the maximum send buffer size; range is from 131072 bytes to 2097152 bytes; the default is 1 MB (1048576 bytes).

RECVBUF-MAX – Specify the maximum receive buffer size; range is from 131072 bytes to 2097152 bytes; the default is 1 MB (1048576 bytes).



networktuning (cont.) CLEAN-FIB-1 – Remove all M1/M2 entries from the data-routing table—essentially, enable control-plane/data-plane separation. That is, disable any data-plane process from sending data over the M1 interface when “Separate Routing” is enabled. Data-plane processes are those for which “Use data routing table” is enabled, or which carry strictly non-management traffic. Control-plane processes can still send data of over either the M1 or P1 interfaces.

Following any changes to these parameters, be sure to commit your changes and the restart the appliance.

Caution Use this command only if you understand the ramifications. We recommend using only with TAC guidance.

nslookup Queries Internet domain name servers for information about specified hosts and domains or to print a list of hosts in a domain.

ntpconfig Configure NTP servers. Displays currently configured interfaces, and provides an operations menu to add, remove, or set the interface from whose IP address NTP queries should originate.

packetcapture Intercepts and displays TCP/IP and other packets being transmitted or received over the network to which the appliance is attached.

passwd Set the passphrase.

pathmtudiscovery Enables or disables Path MTU Discovery.

You might want to disable Path MTU Discovery if you need to packet fragmentation.

ping Sends an ICMP ECHO REQUEST to the specified host or gateway.

proxyconfig <enable | disable>

Enables or disables the Web Proxy.

proxystat Display web proxy statistics.

quit, q, exit Terminates an active process or session.

reboot Flushes the file system cache to disk, halts all running processes, and restarts the system.

reportingconfig Configure a reporting system.

resetconfig Restores the configuration to factory defaults.

revert Revert the AsyncOS for Web operating system to a previous qualified build. This is a very destructive action, destroying all configuration logs and databases. Refer to Reverting to a Previous Version of AsyncOS for Web, page 22-33 for information about using this command.

rollovernow Roll over a log file.

routeconfig Configure destination IP addresses and gateways for traffic. Displays currently configured routes, and provides an operations menu to create, edit, or delete, or clear entries.

saveconfig Saves a copy of the current configuration settings to a file. This file can be used to restore defaults, if necessary.

setgateway Configure the default gateway for the machine.

sethostname Set the hostname parameter.



setntlmsecuritymode Changes the security setting for the NTLM authentication realm to either “ads” or “domain”.

• domain — AsyncOS joins the Active Directory domain with a domain security trust account. AsyncOS requires Active Directory to use only nested Active Directory groups in this mode.

• ads — AsyncOS joins the domain as a native Active Directory member.

Default is ads.

settime Set system time.

settz Displays the current time zone and the time zone version. Provides an operations menu to set a local time zone.

showconfig Display all configuration values.

Note User passphrases are encrypted.

shutdown Terminates connections and shuts down the system.

smtprelay Configure SMTP relay hosts for internally generated email. An SMTP relay host is required to receive system generated email and alerts.

snmpconfig Configure the local host to listen for SNMP queries and allow SNMP requests.

sshconfig Configure hostname and host key options for trusted servers.



sslconfig Commands for use of communications protocols TLS v1.x and SSL v3 with Appliance Management Web User Interface, Proxy Services (includes HTTPS Proxy and Credential Encryption for Secure Client), Secure LDAP Services (includes Authentication, External Authentication and Secure Mobility), as well as the Update Service.

VERSIONS – View and change the protocols enabled for specific services.

COMPRESS – Enable/disable TLS compression. Disabling is recommended for best security.

CIPHERS – Add/update cipher suites available to selected protocols.

The default cipher for AsyncOS versions 9.0 and earlier is DEFAULT:+kEDH. For AsyncOS versions 9.1 and later, it the default cipher is EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!SEED

:!CAMELLIA:!SRP:!IDEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES2

56-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:DHE-RSA-AES128-SHA. In both cases, this may change based on your ECDHE cipher selections.

Note However, regardless of version, the default cipher does not change when you upgrade to a newer AsyncOS version. For example, when you upgrade from an earlier version to AsyncOS 9.1, the default cipher is DEFAULT:+kEDH. In other words, following an upgrade, you must update the current cipher suite yourself; Cisco recommends updating to EECDH:DSS:RSA:!NULL:!eNULL:!EXPORT:!3DES:!RC4:!RC2:!DES:!S

EED:!CAMELLIA:!SRP:!IDEA:!ECDHE-ECDSA-AES256-SHA:!ECDHE-RS

A-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA:DHE-RSA-AES12

8-SHA.

FALLBACK – Enable/disable the SSL/TLS fall-back option. If enabled, communications with remote servers will fall back to the lowest configured protocol following a handshake failure.

After a protocol version is negotiated between client and server, handshake failure is possible because of implementation issues. If this option is enabled, the proxy attempts to connect using the lowest version of the currently configured TLS/SSL protocols.

Note On new AsyncOS 9.x installations, fall-back is disabled by default. For upgrades from earlier versions on which the fall-back option exists, the current setting is retained; otherwise, when upgrading from a version on which the option did not exist, fall-back is enabled by default.

ECDHE– Enable/disable use of ECDHE ciphers for LDAP.

Additional ECDH ciphers are supported in successive releases; however, certain named curves provided with some of the additional ciphers cause the appliance to close a connection during secure LDAP authentication and HTTPS traffic decryption. See SSL Configuration, page 22-23 for more information about specifying additional ciphers.

If you experience these issues, use this option to disable or enable ECDHE cipher use for either or both features.

status Displays system status.



supportrequest Send the support request email to Cisco IronPort Customer Support. This includes system information and a copy of the master configuration.

tail Displays the end of a log file. Command accepts log file name or number as parameters.

example.com> tail system_logs

example.com> tail 9

tcpservices Displays information about open TCP/IP services.

techsupport Provides a temporary connection to allow Cisco IronPort Customer Support to access the system and assist in troubleshooting.

testauthconfig Tests the authentication settings for a given authentication realm against the authentication servers defined in the realm.

testauthconfig [-d level] [realm name]

Running the command without any option causes the appliance to list the configured authentication realms from which you can make a selection.

The debug flag (-d) controls the level of debug information. The levels can range between 0-10. If unspecified, the appliance uses a level of 0. With level 0, the command will return success or failure. If the test settings fail, the command will list the cause of the failure.

Note Cisco recommends you use level 0. Only use a different debug level when you need more detailed information to troubleshoot.

traceroute Traces IP packets through gateways and along the path to a destination host.

tuiconfig tuistatus

These two commands are documented in Using the CLI to Configure Advanced Transparent User Identification Settings, page 5-9.

updateconfig Configure update and upgrade settings.

updatenow Update all components.

upgrade Install an AsyncOS software upgrade.

userconfig Configure system administrators.

version Displays general system information, installed versions of system software, and rule definitions.

webcache Examine or modify the contents of the proxy cache, or configure domains and URLs that the appliance never caches. Allows an administrator to remove a particular URL from the proxy cache or specify which domains or URLs to never store in the proxy cache.

who Displays users logged into the system, for both CLI and Web interface sessions.

Note Individual users can have a maximum of 10 concurrent sessions.

whoami Displays user information.



C-1AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide

A P P E N D I X CAdditional Resources

• Cisco Notification Service, page C-1

• Documentation Set, page C-2

• Training, page C-2

• Knowledge Base Articles (TechNotes), page C-2

• Cisco Support Community, page C-2

• Customer Support, page C-2

• Registering for a Cisco Account to Access Resources, page C-3

• Third Party Contributors, page C-3

• Cisco Welcomes Your Comments, page C-3

Cisco Notification Service Sign up to receive notifications relevant to your Cisco Content Security Appliances, such as Security Advisories, Field Notices, End of Sale and End of Support statements, and information about software updates and known issues.

You can specify options such as notification frequency and types of information to receive. You should sign up separately for notifications for each product that you use.

To sign up, visit http://www.cisco.com/cisco/support/notifications.html

A Cisco.com account is required. If you do not have one, see Registering for a Cisco Account to Access Resources, page C-3.

http://www.cisco.com/cisco/support/notifications.html


Appendix C Additional Resources Documentation Set

Documentation SetRelated documentation for Cisco Web Security Appliances is available from the following locations:

TrainingTraining for Cisco email and web security products:

http://www.cisco.com/c/en/us/training-events/training-certifications/supplemental-train

ing/email-and-web-security.html

Knowledge Base Articles (TechNotes)

Step 1 Go to the main product page (http://www.cisco.com/c/en/us/support/security/web-security-appliance/tsd-products-support-series-home.html)

Step 2 Look for links with TechNotes in the name.

Cisco Support CommunityAccess the Cisco Support Community for web security and associated management at the following URL:

https://supportforums.cisco.com/community/5786/web-security

The Cisco Support Community is a place to discuss general web security issues as well as technical information about specific Cisco products. For example, posts may include troubleshooting videos.

Customer Support Cisco TAC: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Product Link

Web Security appliances

(Includes hardware documentation.)


Content Security Management appliances


http://www.cisco.com/c/en/us/support/security/content-security-management-appliance/tsd-products-support-series-home.html

Cisco Cloud Web Security




http://www.cisco.com/c/en/us/support/security/content-security-management-appliance/tsd-products-support-series-home.html


http://www.cisco.com/c/en/us/training-events/training-certifications/supplemental-training/email-and-web-security.html

http://www.cisco.com/c/en/us/training-events/training-certifications/supplemental-training/email-and-web-security.html



https://supportforums.cisco.com/community/5786/web-security

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html


Appendix C Additional Resources Registering for a Cisco Account to Access Resources

Support site for legacy IronPort: http://www.cisco.com/web/services/acquisitions/ironport.html

For instructions for virtual appliances, see the Cisco Content Security Virtual Appliance Installation Guide.

For non-critical issues, you can also open a support case from the appliance.

Related Topics

• Working With Support, page A-25.

Registering for a Cisco Account to Access Resources Access to many resources on Cisco.com requires a Cisco account.

If you do not have a Cisco.com User ID, you can register for one here: https://tools.cisco.com/RPF/register/register.do

Third Party ContributorsSome software included within AsyncOS is distributed under the terms, notices, and conditions of software license agreements of FreeBSD, Inc., Stichting Mathematisch Centrum, Corporation for National Research Initiatives, Inc., and other third party contributors, and all such terms and conditions are incorporated in license agreements. The full text of these agreements can be found here:

https://support.ironport.com/3rdparty/AsyncOS_User_Guide-1-1.html.

Portions of the software within AsyncOS is based upon the RRDtool with the express written consent of Tobi Oetiker.

Portions of this document are reproduced with permission of Dell Computer Corporation. Portions of this document are reproduced with permission of McAfee, Inc. Portions of this document are reproduced with permission of Sophos Plc.

Cisco Welcomes Your CommentsThe Cisco Technical Publications team is interested in improving the product documentation. Your comments and suggestions are always welcome. You can send comments to the following email address: [email protected]

Please include the title of this book and the publication date from the title page in the subject line of your message.

http://www.cisco.com/web/services/acquisitions/ironport.html

https://tools.cisco.com/RPF/register/register.do


Appendix C Additional Resources Cisco Welcomes Your Comments

D-1AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide

A P P E N D I X DEnd User License Agreement

• Cisco Systems End User License Agreement, page D-1

• Supplemental End User License Agreement for Cisco Systems Content Security Software, page D-8

Cisco Systems End User License Agreement IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. IT IS VERY IMPORTANT THAT YOU CHECK THAT YOU ARE PURCHASING CISCO SOFTWARE OR EQUIPMENT FROM AN APPROVED SOURCE AND THAT YOU, OR THE ENTITY YOU REPRESENT (COLLECTIVELY, THE "CUSTOMER") HAVE BEEN REGISTERED AS THE END USER FOR THE PURPOSES OF THIS CISCO END USER LICENSE AGREEMENT. IF YOU ARE NOT REGISTERED AS THE END USER YOU HAVE NO LICENSE TO USE THE SOFTWARE AND THE LIMITED WARRANTY IN THIS END USER LICENSE AGREEMENT DOES NOT APPLY. ASSUMING YOU HAVE PURCHASED FROM AN APPROVED SOURCE, DOWNLOADING, INSTALLING OR USING CISCO OR CISCO-SUPPLIED SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT.

CISCO SYSTEMS, INC. OR ITS SUBSIDIARY LICENSING THE SOFTWARE INSTEAD OF CISCO SYSTEMS, INC. ("CISCO") IS WILLING TO LICENSE THIS SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU PURCHASED THE SOFTWARE FROM AN APPROVED SOURCE AND THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS END USER LICENSE AGREEMENT PLUS ANY ADDITIONAL LIMITATIONS ON THE LICENSE SET FORTH IN A SUPPLEMENTAL LICENSE AGREEMENT ACCOMPANYING THE PRODUCT OR AVAILABLE AT THE TIME OF YOUR ORDER (COLLECTIVELY THE "AGREEMENT"). TO THE EXTENT OF ANY CONFLICT BETWEEN THE TERMS OF THIS END USER LICENSE AGREEMENT AND ANY SUPPLEMENTAL LICENSE AGREEMENT, THE SUPPLEMENTAL LICENSE AGREEMENT SHALL APPLY. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE, YOU ARE REPRESENTING THAT YOU PURCHASED THE SOFTWARE FROM AN APPROVED SOURCE AND BINDING YOURSELF TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM AN APPROVED SOURCE, AND APPLIES ONLY IF YOU ARE THE ORIGINAL AND REGISTERED END USER PURCHASER. FOR THE PURPOSES OF THIS END USER LICENSE AGREEMENT, AN "APPROVED SOURCE" MEANS (A) CISCO; OR (B) A DISTRIBUTOR OR SYSTEMS INTEGRATOR AUTHORIZED BY CISCO TO DISTRIBUTE /


Appendix D End User License Agreement Cisco Systems End User License Agreement

SELL CISCO EQUIPMENT, SOFTWARE AND SERVICES WITHIN YOUR TERRITORY TO END USERS; OR (C) A RESELLER AUTHORIZED BY ANY SUCH DISTRIBUTOR OR SYSTEMS INTEGRATOR IN ACCORDANCE WITH THE TERMS OF THE DISTRIBUTOR'S AGREEMENT WITH CISCO TO DISTRIBUTE / SELL THE CISCO EQUIPMENT, SOFTWARE AND SERVICES WITHIN YOUR TERRITORY TO END USERS.

THE FOLLOWING TERMS OF THE AGREEMENT GOVERN CUSTOMER'S USE OF THE SOFTWARE (DEFINED BELOW), EXCEPT TO THE EXTENT: (A) THERE IS A SEPARATE SIGNED CONTRACT BETWEEN CUSTOMER AND CISCO GOVERNING CUSTOMER'S USE OF THE SOFTWARE, OR (B) THE SOFTWARE INCLUDES A SEPARATE "CLICK-ACCEPT" LICENSE AGREEMENT OR THIRD PARTY LICENSE AGREEMENT AS PART OF THE INSTALLATION OR DOWNLOAD PROCESS GOVERNING CUSTOMER'S USE OF THE SOFTWARE. TO THE EXTENT OF A CONFLICT BETWEEN THE PROVISIONS OF THE FOREGOING DOCUMENTS, THE ORDER OF PRECEDENCE SHALL BE (1)THE SIGNED CONTRACT, (2) THE CLICK-ACCEPT AGREEMENT OR THIRD PARTY LICENSE AGREEMENT, AND (3) THE AGREEMENT. FOR PURPOSES OF THE AGREEMENT, "SOFTWARE" SHALL MEAN COMPUTER PROGRAMS, INCLUDING FIRMWARE AND COMPUTER PROGRAMS EMBEDDED IN CISCO EQUIPMENT, AS PROVIDED TO CUSTOMER BY AN APPROVED SOURCE, AND ANY UPGRADES, UPDATES, BUG FIXES OR MODIFIED VERSIONS THERETO (COLLECTIVELY, "UPGRADES"), ANY OF THE SAME WHICH HAS BEEN RELICENSED UNDER THE CISCO SOFTWARE TRANSFER AND RE-LICENSING POLICY (AS MAY BE AMENDED BY CISCO FROM TIME TO TIME) OR BACKUP COPIES OF ANY OF THE FOREGOING.

License. Conditioned upon compliance with the terms and conditions of the Agreement, Cisco grants to Customer a nonexclusive and nontransferable license to use for Customer's internal business purposes the Software and the Documentation for which Customer has paid the required license fees to an Approved Source. "Documentation" means written information (whether contained in user or technical manuals, training materials, specifications or otherwise) pertaining to the Software and made available by an Approved Source with the Software in any manner (including on CD-Rom, or on-line). In order to use the Software, Customer may be required to input a registration number or product authorization key and register Customer's copy of the Software online at Cisco's website to obtain the necessary license key or license file.

Customer's license to use the Software shall be limited to, and Customer shall not use the Software in excess of, a single hardware chassis or card or such other limitations as are set forth in the applicable Supplemental License Agreement or in the applicable purchase order which has been accepted by an Approved Source and for which Customer has paid to an Approved Source the required license fee (the "Purchase Order").

Unless otherwise expressly provided in the Documentation or any applicable Supplemental License Agreement, Customer shall use the Software solely as embedded in, for execution on, or (where the applicable Documentation permits installation on non-Cisco equipment) for communication with Cisco equipment owned or leased by Customer and used for Customer's internal business purposes. No other licenses are granted by implication, estoppel or otherwise.

For evaluation or beta copies for which Cisco does not charge a license fee, the above requirement to pay license fees does not apply.

General Limitations. This is a license, not a transfer of title, to the Software and Documentation, and Cisco retains ownership of all copies of the Software and Documentation. Customer acknowledges that the Software and Documentation contain trade secrets of Cisco or its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and associated interface information. Except as otherwise expressly provided under the Agreement, Customer shall only use the Software in connection with the use of Cisco equipment purchased by the Customer from an Approved Source and Customer shall have no right, and Customer specifically agrees not to:



(i) transfer, assign or sublicense its license rights to any other person or entity (other than in compliance with any Cisco relicensing/transfer policy then in force), or use the Software on Cisco equipment not purchased by the Customer from an Approved Source or on secondhand Cisco equipment, and Customer acknowledges that any attempted transfer, assignment, sublicense or use shall be void;

(ii) make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do the same;

(iii) reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction or except to the extent that Cisco is legally required to permit such specific activity pursuant to any applicable open source license;

(iv) publish any results of benchmark tests run on the Software;

(v) use or permit the Software to be used to perform services for third parties, whether on a service bureau or time sharing basis or otherwise, without the express written authorization of Cisco; or

(vi) disclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party without the prior written consent of Cisco. Customer shall implement reasonable security measures to protect such trade secrets.

To the extent required by applicable law, and at Customer's written request, Cisco shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of Cisco's applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Cisco makes such information available.

Software, Upgrades and Additional Copies. NOTWITHSTANDING ANY OTHER PROVISION OF THE AGREEMENT: (1) CUSTOMER HAS NO LICENSE OR RIGHT TO MAKE OR USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF MAKING OR ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE TO AN APPROVED SOURCE FOR THE UPGRADE OR ADDITIONAL COPIES; (2) USE OF UPGRADES IS LIMITED TO CISCO EQUIPMENT SUPPLIED BY AN APPROVED SOURCE FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LESSEE OR OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND (3) THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.

Proprietary Notices. Customer agrees to maintain and reproduce all copyright, proprietary, and other notices on all copies, in any form, of the Software in the same form and manner that such copyright and other proprietary notices are included on the Software. Except as expressly authorized in the Agreement, Customer shall not make any copies or duplicates of any Software without the prior written permission of Cisco.

Term and Termination. The Agreement and the license granted herein shall remain effective until terminated. Customer may terminate the Agreement and the license at any time by destroying all copies of Software and any Documentation. Customer's rights under the Agreement will terminate immediately without notice from Cisco if Customer fails to comply with any provision of the Agreement. Upon termination, Customer shall destroy all copies of Software and Documentation in its possession or control. All confidentiality obligations of Customer, all restrictions and limitations imposed on the Customer under the section titled "General Limitations" and all limitations of liability and disclaimers and restrictions of warranty shall survive termination of this Agreement. In addition, the provisions of the sections titled "U.S. Government End User Purchasers" and "General Terms Applicable to the Limited Warranty Statement and End User License Agreement" shall survive termination of the Agreement.



Customer Records. Customer grants to Cisco and its independent accountants the right to examine Customer's books, records and accounts during Customer's normal business hours to verify compliance with this Agreement. In the event such audit discloses non-compliance with this Agreement, Customer shall promptly pay to Cisco the appropriate license fees, plus the reasonable cost of conducting the audit.

Export, Re-Export, Transfer and Use Controls. The Software, Documentation and technology or direct products thereof (hereafter referred to as Software and Technology), supplied by Cisco under the Agreement are subject to export controls under the laws and regulations of the United States (U.S.) and any other applicable countries' laws and regulations. Customer shall comply with such laws and regulations governing export, re-export, transfer and use of Cisco Software and Technology and will obtain all required U.S. and local authorizations, permits, or licenses. Cisco and Customer each agree to provide the other information, support documents, and assistance as may reasonably be required by the other in connection with securing authorizations or licenses. Information regarding compliance with export, re-export, transfer and use may be located at the following URL:

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html.

U.S. Government End User Purchasers. The Software and Documentation qualify as "commercial items," as that term is defined at Federal Acquisition Regulation ("FAR") (48 C.F.R.) 2.101, consisting of "commercial computer software" and "commercial computer software documentation" as such terms are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which the Agreement may be incorporated, Customer may provide to Government end user or, if the Agreement is direct, Government end user will acquire, the Software and Documentation with only those rights set forth in the Agreement. Use of either the Software or Documentation or both constitutes agreement by the Government that the Software and Documentation are "commercial computer software" and "commercial computer software documentation," and constitutes acceptance of the rights and restrictions herein.

Identified Components; Additional Terms. The Software may contain or be delivered with one or more components, which may include third-party components, identified by Cisco in the Documentation, readme.txt file, third-party click-accept or elsewhere (e.g. on www.cisco.com) (the "Identified Component(s)") as being subject to different license agreement terms, disclaimers of warranties, limited warranties or other terms and conditions (collectively, "Additional Terms") than those set forth herein. You agree to the applicable Additional Terms for any such Identified Component(s)."

Limited Warranty

Subject to the limitations and conditions set forth herein, Cisco warrants that commencing from the date of shipment to Customer (but in case of resale by an Approved Source other than Cisco, commencing not more than ninety (90) days after original shipment by Cisco), and continuing for a period of the longer of (a) ninety (90) days or (b) the warranty period (if any) expressly set forth as applicable specifically to software in the warranty card accompanying the product of which the Software is a part (the "Product") (if any): (a) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (b) the Software substantially conforms to the Documentation. The date of shipment of a Product by Cisco is set forth on the packaging material in which the Product is shipped. Except for the foregoing, the Software is provided "AS IS". This limited warranty extends only to the Software purchased from an Approved Source by a Customer who is the first registered end user. Customer's sole and exclusive remedy and the entire liability of Cisco and its suppliers under this limited warranty will be (i) replacement of defective media and/or (ii) at Cisco's option, repair, replacement, or refund of the purchase price of the Software, in both cases subject to the condition that any error or defect constituting a breach of this limited warranty is reported to the Approved Source supplying the Software to Customer, within the warranty period. Cisco or the Approved Source supplying the Software to Customer may, at its option, require return of the Software and/or Documentation as a condition to the remedy. In no event does Cisco warrant that the Software is

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html

http://www.cisco.com/web/about/doing_business/legal/global_export_trade/general_export/contract_compliance.html

www.cisco.com



error free or that Customer will be able to operate the Software without problems or interruptions. In addition, due to the continual development of new techniques for intruding upon and attacking networks, Cisco does not warrant that the Software or any equipment, system or network on which the Software is used will be free of vulnerability to intrusion or attack.

Restrictions. This warranty does not apply if the Software, Product or any other equipment upon which the Software is authorized to be used (a) has been altered, except by Cisco or its authorized representative, (b) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by Cisco, (c) has been subjected to abnormal physical or electrical stress, abnormal environmental conditions, misuse, negligence, or accident; or (d) is licensed for beta, evaluation, testing or demonstration purposes. The Software warranty also does not apply to (e) any temporary Software modules; (f) any Software not posted on Cisco's Software Center; (g) any Software that Cisco expressly provides on an "AS IS" basis on Cisco's Software Center; (h) any Software for which an Approved Source does not receive a license fee; and (i) Software supplied by any third party which is not an Approved Source.

DISCLAIMER OF WARRANTY

EXCEPT AS SPECIFIED IN THIS WARRANTY SECTION, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, ACCURACY OF INFORMATIONAL CONTENT, OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW AND ARE EXPRESSLY DISCLAIMED BY CISCO, ITS SUPPLIERS AND LICENSORS. TO THE EXTENT THAT ANY OF THE SAME CANNOT BE EXCLUDED, SUCH IMPLIED CONDITION, REPRESENTATION AND/OR WARRANTY IS LIMITED IN DURATION TO THE EXPRESS WARRANTY PERIOD REFERRED TO IN THE "LIMITED WARRANTY" SECTION ABOVE. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY IN SUCH STATES. THIS WARRANTY GIVES CUSTOMER SPECIFIC LEGAL RIGHTS, AND CUSTOMER MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose.

Disclaimer of Liabilities - Limitation of Liability. IF YOU ACQUIRED THE SOFTWARE IN THE UNITED STATES, LATIN AMERICA, CANADA, JAPAN OR THE CARIBBEAN, NOTWITHSTANDING ANYTHING ELSE IN THE AGREEMENT TO THE CONTRARY, ALL LIABILITY OF CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS COLLECTIVELY, TO CUSTOMER, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF WARRANTY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID BY CUSTOMER TO ANY APPROVED SOURCE FOR THE SOFTWARE THAT GAVE RISE TO THE CLAIM OR IF THE SOFTWARE IS PART OF ANOTHER PRODUCT, THE PRICE PAID FOR SUCH OTHER PRODUCT. THIS LIMITATION OF LIABILITY FOR SOFTWARE IS CUMULATIVE AND NOT PER INCIDENT (I.E. THE EXISTENCE OF TWO OR MORE CLAIMS WILL NOT ENLARGE THIS LIMIT).

IF YOU ACQUIRED THE SOFTWARE IN EUROPE, THE MIDDLE EAST, AFRICA, ASIA OR OCEANIA, NOTWITHSTANDING ANYTHING ELSE IN THE AGREEMENT TO THE CONTRARY, ALL LIABILITY OF CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS COLLECTIVELY, TO CUSTOMER, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF WARRANTY OR OTHERWISE, SHALL NOT EXCEED THE PRICE PAID BY CUSTOMER TO CISCO FOR THE SOFTWARE THAT GAVE RISE TO THE CLAIM OR IF THE SOFTWARE IS PART OF ANOTHER PRODUCT, THE PRICE PAID



FOR SUCH OTHER PRODUCT. THIS LIMITATION OF LIABILITY FOR SOFTWARE IS CUMULATIVE AND NOT PER INCIDENT (I.E. THE EXISTENCE OF TWO OR MORE CLAIMS WILL NOT ENLARGE THIS LIMIT). NOTHING IN THE AGREEMENT SHALL LIMIT (I) THE LIABILITY OF CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS TO CUSTOMER FOR PERSONAL INJURY OR DEATH CAUSED BY THEIR NEGLIGENCE, (II) CISCO'S LIABILITY FOR FRAUDULENT MISREPRESENTATION, OR (III) ANY LIABILITY OF CISCO WHICH CANNOT BE EXCLUDED UNDER APPLICABLE LAW.

Disclaimer of Liabilities - Waiver of Consequential Damages and Other Losses. IF YOU ACQUIRED THE SOFTWARE IN THE UNITED STATES, LATIN AMERICA, THE CARIBBEAN OR CANADA, REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE SOFTWARE OR OTHERWISE AND EVEN IF CISCO OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

IF YOU ACQUIRED THE SOFTWARE IN JAPAN, EXCEPT FOR LIABILITY ARISING OUT OF OR IN CONNECTION WITH DEATH OR PERSONAL INJURY, FRAUDULENT MISREPRESENTATION, AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE SOFTWARE OR OTHERWISE AND EVEN IF CISCO OR ANY APPROVED SOURCE OR THEIR SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IF YOU ACQUIRED THE SOFTWARE IN EUROPE, THE MIDDLE EAST, AFRICA, ASIA OR OCEANIA, IN NO EVENT WILL CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS, BE LIABLE FOR ANY LOST REVENUE, LOST PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES, HOWSOEVER ARISING, INCLUDING, WITHOUT LIMITATION, IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF, IN EACH CASE, CISCO, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS AND LICENSORS, HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT FULLY APPLY TO YOU. THE FOREGOING EXCLUSION SHALL NOT APPLY TO ANY LIABILITY ARISING OUT OF OR IN CONNECTION WITH: (I) DEATH OR PERSONAL INJURY, (II) FRAUDULENT MISREPRESENTATION, OR (III) CISCO'S LIABILITY IN CONNECTION WITH ANY TERMS THAT CANNOT BE EXCLUDED UNDER APPLICABLE LAW.



Customer acknowledges and agrees that Cisco has set its prices and entered into the Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the parties.

Controlling Law, Jurisdiction. If you acquired, by reference to the address on the purchase order accepted by the Approved Source, the Software in the United States, Latin America, or the Caribbean, the Agreement and warranties ("Warranties") are controlled by and construed under the laws of the State of California, United States of America, notwithstanding any conflicts of law provisions; and the state and federal courts of California shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. If you acquired the Software in Canada, unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of the Province of Ontario, Canada, notwithstanding any conflicts of law provisions; and the courts of the Province of Ontario shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. If you acquired the Software in Europe, the Middle East, Africa, Asia or Oceania (excluding Australia), unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of England, notwithstanding any conflicts of law provisions; and the English courts shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. In addition, if the Agreement is controlled by the laws of England, no person who is not a party to the Agreement shall be entitled to enforce or take the benefit of any of its terms under the Contracts (Rights of Third Parties) Act 1999. If you acquired the Software in Japan, unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of Japan, notwithstanding any conflicts of law provisions; and the Tokyo District Court of Japan shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. If you acquired the Software in Australia, unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of the State of New South Wales, Australia, notwithstanding any conflicts of law provisions; and the State and federal courts of New South Wales shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties. If you acquired the Software in any other country, unless expressly prohibited by local law, the Agreement and Warranties are controlled by and construed under the laws of the State of California, United States of America, notwithstanding any conflicts of law provisions; and the state and federal courts of California shall have exclusive jurisdiction over any claim arising under the Agreement or Warranties.

For all countries referred to above, the parties specifically disclaim the application of the UN Convention on Contracts for the International Sale of Goods. Notwithstanding the foregoing, either party may seek interim injunctive relief in any court of appropriate jurisdiction with respect to any alleged breach of such party's intellectual property or proprietary rights. If any portion hereof is found to be void or unenforceable, the remaining provisions of the Agreement and Warranties shall remain in full force and effect. Except as expressly provided herein, the Agreement constitutes the entire agreement between the parties with respect to the license of the Software and Documentation and supersedes any conflicting or additional terms contained in any Purchase Order or elsewhere, all of which terms are excluded. The Agreement has been written in the English language, and the parties agree that the English version will govern.

Product warranty terms and other information applicable to Cisco products are available at the following URL:

http://www.cisco.com/go/warranty

http://www.cisco.com/go/warranty


Appendix D End User License Agreement Supplemental End User License Agreement for Cisco Systems Content Security Software

Supplemental End User License Agreement for Cisco Systems Content Security Software

IMPORTANT: READ CAREFULLY

This Supplemental End User License Agreement ("SEULA") contains additional terms and conditions for the Software product licensed under the End User License Agreement ("EULA") between You ("You" as used herein means You and the business entity you represent or "Company") and Cisco (collectively, the "Agreement"). Capitalized terms used in this SEULA but not defined will have the meanings assigned to them in the EULA. To the extent that there is a conflict between the terms and conditions of the EULA and this SEULA, the terms and conditions of this SEULA will take precedence.

In addition to the limitations set forth in the EULA on your access and use of the Software, you agree to comply at all times with the terms and conditions provided in this SEULA.

DOWNLOADING, INSTALLING, OR USING THE SOFTWARE CONSTITUTES ACCEPTANCE OF THE AGREEMENT, AND YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT TO THE AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THE AGREEMENT, THEN CISCO IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND (A) YOU MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE (INCLUDING ANY UNOPENED CD PACKAGE AND ANY WRITTEN MATERIALS) FOR A FULL REFUND, OR, IF THE SOFTWARE AND WRITTEN MATERIALS ARE SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM CISCO OR AN AUTHORIZED CISCO RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL END USER PURCHASER.

For purposes of this SEULA, the Product name and the Product description You have ordered is any of the following Cisco Systems Email Security Appliance ("ESA"), Cisco Systems Web Security Appliance ("WSA") and Cisco Systems Security Management Application ("SMA") (collectively, "Content Security") and their Virtual Appliance equivalent ("Software"):

Cisco AsyncOS for Email

Cisco AsyncOS for Web

Cisco AsyncOS for Management

Cisco Email Anti-Spam, Sophos Anti-Virus

Cisco Email Outbreak Filters

Cloudmark Anti-Spam

Cisco Image Analyzer

McAfee Anti-Virus

Cisco Intelligent Multi-Scan

Cisco RSA Data Loss Prevention

Cisco Email Encryption

Cisco Email Delivery Mode

Cisco Web Usage Controls

Cisco Web Reputation

Sophos Anti-Malware

Webroot Anti-Malware



McAfee Anti-Malware

Cisco Email Reporting

Cisco Email Message Tracking

Cisco Email Centralized Quarantine

Cisco Web Reporting

Cisco Web Policy and Configuration Management

Cisco Advanced Web Security Management with Splunk

Email Encryption for Encryption Appliances

Email Encryption for System Generated Bulk Email

Email Encryption and Public Key Encryption for Encryption Appliances

Large Attachment Handling for Encryption Appliances

Secure Mailbox License for Encryption Appliances

Definitions

For purposes of this SEULA, the following definitions apply:

"Company Service" means the Company's email, Internet, security management services provided to End Users for the purposes of conducting Company's internal business.

"End User" means: (1) for the WSA and SMA, the employee, contractor or other agent authorized by Company to access the Internet and the SMA via the Company Service; and (2) for the ESA, the email boxes of the employees, contractors, or other agent authorized by Company to access or use the email services via the Company Service.

"Ordering Document" means the purchase agreement, evaluation agreement, beta, pre-release agreement or similar agreement between the Company and Cisco or the Company and a Cisco reseller, or the valid terms of any purchase order accepted by Cisco in connection therewith, containing the purchase terms for the Software license granted by this Agreement.

"Personally Identifiable Information" means any information that can be used to identify an individual, including, but not limited to, an individual's name, user name, email address and any other personally identifiable information.

"Server" means a single physical computer or devices on a network that manages or provides network resources for multiple users.

"Services" means Cisco Software Subscription Services.

"Service Description" means the description of the Software Subscription Support Services at http://www.cisco.com/web/about/doing_business/legal/service_descriptions/index.html

"Telemetry Data" means samples of Company's email and web traffic, including data on email message and web request attributes and information on how different types of email messages and web requests were handled by Company's Cisco hardware products. Email message metadata and web requests included in Telemetry Data are anonymized and obfuscated to remove any Personally Identifiable Information.

"Term" means the length of the Software subscription You purchased, as indicated in your Ordering Document.

"Virtual Appliance" means the virtual version of Cisco's email security appliances, web security appliances, and security management appliances.

http://www.cisco.com/web/about/doing_business/legal/service_descriptions/index.html



"Virtual Machine" means a software container that can run its own operating system and execute applications like a Server.

Additional License Terms and Conditions

LICENSE GRANTS AND CONSENT TO TERMS OF DATA COLLECTION

License of Software.

By using the Software and the Documentation, Company agrees to be bound by the terms of this Agreement, and so long as Company is in compliance with this Agreement, Cisco hereby grants to Company a nonexclusive, non-sublicensable, non-transferable, worldwide license during the Term to use the Software only on Cisco's hardware products, or in the case of the Virtual Appliances, on a Virtual Machine, solely in connection with the provision of the Company Service to End Users. The number of End Users licensed for the use of the Software is limited to the number of End Users specified in the Ordering Documents. In the event that the number of End Users in connection with the provision of the Company Service exceeds the number of End Users specified in the Ordering Documents, Company shall contact an Approved Source to purchase additional licenses for the Software. The duration and scope of this license(s) is further defined in the Ordering Document. The Ordering Document supersedes the EULA with respect to the term of the Software license. Except for the license rights granted herein, no right, title or interest in any Software is granted to the Company by Cisco, Cisco's resellers or their respective licensors. Your entitlement to Upgrades to the Software is subject to the Service Description. This Agreement and the Services are co-terminus.

Consent and License to Use Data.

Subject to the Cisco Privacy Statement at http://www.cisco.com/web/siteassets/legal/privacy.html, Company hereby consents and grants to Cisco a license to collect and use Telemetry Data from the Company. Cisco does not collect or use Personally Identifiable Information in the Telemetry Data. Cisco may share aggregated and anonymous Telemetry Data with third parties to assist us in improving your user experience and the Software and other Cisco security products and services. Company may terminate Cisco's right to collect Telemetry Data at any time by disabling SenderBase Network Participation in the Software. Instructions to enable or disable SenderBase Network Participation are available in the Software configuration guide.

Description of Other Rights and Obligations

Please refer to the Cisco Systems, Inc. End User License Agreement, Privacy Statement and Service Description of Software Subscription Support Services.

http://www.cisco.com/web/siteassets/legal/privacy.html

IN-1AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide

I N D E X

A

access log file

see also W3C access logs

ACL decision tags 21-16

no category (nc) 21-20

no score (ns) 21-20

overview 21-13

result codes 21-16

URL category abbreviations 9-25

access logs

header format specifier 21-38

Access Policies 9-5

and URL category changes 9-5

configuring Web Reputation 13-12

proxy port of request 4-18

subnet of request 4-18

time of request 4-18

URL filters 10-11

ACL decision tags

access log file 21-16

Active Directory 5-1

adding

log subscriptions 21-7

WCCP service 2-25

addresses

ambiguous address 20-2

known allowed address 20-2

known malware address 20-2

adminaccessconfig command

overview 22-11

adult content

filtering 9-16

logging usage 9-18

Advanced Malware Protection 14-1

MONITOR_AMP_RESP 21-19

alert listing 22-16

alerts

alert classifications 22-14

severities 22-14

alert types 22-14

ambiguous address

defined 20-2

AMP. See Advanced Malware Protection.

AMW

see anti-malware

anonymizing

usernames in reports 18-1

anti-malware


configuring 13-7

database 13-13

outbound scanning 12-1

overview 13-4

rules for L4 Traffic Monitor 20-2

scanning verdicts 21-40

Anti-Malware report 19-6

anti-malware rules

L4 Traffic Monitor 20-2

anti-malware scanning

outbound 12-1

application behaviors

defined 15-3

application control

application behaviors 15-3

applications 15-3

Index


application types 15-3

bandwidth 15-5

configuring 15-3, 15-5

instant messaging traffic 15-8

logging 15-9

overview 15-1

report 19-5

reporting 15-8

applications

blocking 15-5

configuring bandwidth limits 15-7

defined 15-3

application types

configuring bandwidth limits 15-7

defined 15-3

overriding bandwidth limits 15-7

Application Visibility report

overview 19-5

archives

log file compression 21-9, 21-12

reports 18-9

rollover settings 21-8, 21-11

AsyncOS reversion 22-33

available upgrades 22-28

AVC engine

enabling 15-2

updates 15-2

B

bandwidth

configuring overall limits 15-6

configuring user limits 15-6

limiting 15-5

bandwidth limits

configuring for applications 15-7

configuring for application types 15-7

overall 15-6

overriding for application types 15-7

overview 15-5

per user 15-6

blacklist address

see known malware address

blocking

adult content 9-16

all traffic by default 2-15

applications 15-5

HTTPS traffic 11-12

objects 16-8

upload requests 16-2

upload requests due to AVC engine 15-3

upload requests due to malware 12-1

URL categories 16-7

user experience 12-1, 15-3, 16-2

blocking traffic

by default in System Setup Wizard 2-15

browsers

see web browsers

bypassing

decryption A-9

upload requests from scanning 16-2

C

caching 13-14

capturing network packets

overview A-24

case-sensitivity

in CLI B-3

categories

adult 9-25

advertisements 9-25

alcohol 9-25

arts 9-26

astrology 9-26

auctions 9-26

business and industry 9-26

chat and instant messaging 9-26

Index


cheating and plagiarism 9-26

child abuse content 9-26

computers and internet 9-26

computer security 9-26

dating 9-26

digital postcards 9-27

dining and drinking 9-27

dynamic and residential 9-27

education 9-27

entertainment 9-27

extreme 9-27

fashion 9-27

file transfer services 9-27

filter avoidance 9-27

finance 9-27

freeware and shareware 9-27

gambling 9-28

games 9-28

government and law 9-28

hacking 9-28

hate speech 9-28

health and nutrition 9-28

humor 9-28

illegal activities 9-29

illegal downloads 9-29

illegal drugs 9-29

infrastructure and content delivery networks 9-29

internet telephony 9-29

job search 9-29

lingerie and swimsuits 9-29

lotteries 9-29

mobile phones 9-29

nature 9-30

news 9-30

non-governmental organizations 9-30

non-sexual nudity 9-30

online communities 9-30

online storage and backup 9-30

online trading 9-30

organizational email 9-30

parked domains 9-31

peer file transfer 9-31

personal sites 9-31

photo searches and images 9-31

politics 9-31

pornography 9-31

professional networking 9-31

real estate 9-31

reference 9-31

religion 9-31

SaaS and B2B 9-31

safe for kids 9-31

science and technology 9-32

search engines and portals 9-32

sex education 9-32

shopping 9-32

social networking 9-32

social science 9-32

society and culture 9-32

software updates 9-32

sports and recreation 9-32

streaming audio 9-32

streaming video 9-32

tobacco 9-32

transportation 9-32

travel 9-33

unclassified 9-33

weapons 9-33

web-based email 9-33

web hosting 9-33

web page translation 9-33

category filtering

database 9-3

certificate files

supported formats 11-9

uploading 11-10

certificates

CSR for HTTPS Proxy 11-11

Index


CSR for Identity Provider for SaaS 7-3

CSR for web interface 22-27

FIPS 22-22

generating and signing your own 22-28

invalid 11-11, 11-12

validating 11-9

Certificate Signing Request (CSR)

for HTTPS Proxy 11-11

for Identity Provider for SaaS 7-3

for web interface 22-27

Change Password link 22-8

changing passwords 22-8

Cisco ASA integration

overview 10-22

Cisco Cloud Web Security

guest users 3-8

Cisco Data Security Policies


Cisco IronPort Data Security Policies

see Data Security Policies

user location of request 16-6

Cisco Web Usage Controls

overview 9-1

CLI

case-sensitivity in B-3

configuring host keys 21-13

configuring languages 22-10

overview B-1

SSH B-1

Client Malware Risk 19-7

Client Malware Risk report 19-7

Client Malware Risk report page 19-7

Client Signing Required 5-13, 5-16

Cloud Connector

authentication failures 3-8

Cloud Web Security Connector

FTP 3-5

cloud connector settings 2-12, 3-3

cloud routing policies 3-5

Cloud Web Security Connector

HTTPS 3-5compared to standard mode 2-2

Configuring 3-2

data loss prevention 3-6

directory group policies 3-5

documentation 3-1

logging 3-6

user authentication 3-7

commit command B-4

community string

SNMP 22-36

compression

log file archives 21-9, 21-12

configuring 2-23

administrator settings 22-11

application control settings 15-3

HTTPS Proxy 11-4

return addresses 22-14

URL filters 9-9

Web Reputation Filters 13-12

configuring the appliance

anti-malware 13-7

browser requirements 1-3

enabling features 22-3

network interfaces 2-18

reporting 18-1

scheduling reports 18-7

content filtering

Cisco IronPort Data Security Policies 16-8

controlling applications

overview 15-1

controlling bandwidth

overall limits 15-6

overview 15-5

user limits 15-6

control settings

Index



creating


External DLP Policies 16-5

log subscriptions 21-7

Outbound Malware Scanning Policies 12-3

CSS

in end-user notification pages 17-10

custom

date ranges 18-3

end-user notification pages 17-12

headers 21-38

URL categories 9-14

redirecting traffic 9-18

custom mask for load balancing 2-27

D

data loss prevention

see Outbound Malware Scanning Policies

Data Loss Prevention Policies, External 9-5

datasecurityconfig

CLI command 16-2

Data Security logs

overview 16-11

Data Security Policies

configuring 16-7

content 16-8

creating 16-5

logging 16-11

membership 16-4

minimum request size 16-2

protocol of request 16-5



URL category of request 16-6

URL filters 16-7

user agent of request 16-6

Web Reputation 16-8

Data Security Policies, Cisco 9-5

decrypting

HTTPS traffic 11-2

decrypting HTTPS traffic

configuring Decryption Policies 11-1

decryption

bypassing A-9



blocking 11-12

bypassing decryption A-9

controlling traffic 11-6

control settings 11-6

decrypting traffic 11-1

dropping traffic 11-1

enabling 11-4

logging A-13

Monitor action 11-2

overview 11-2

passing through traffic 11-1

Decryption Policy groups

see also policy groups

default gateway 2-23

default identity 6-1

default route

configuring 2-23

defining

user preferences 22-10

DLP servers

defining 16-8

failover 16-10

DNS

authoritative name servers 2-32

configuring 2-32

split 2-32

DNS cache

flushing 2-32

dropping traffic


Index


DVS engine

how it works 13-4

working with multiple malware verdicts 13-5

Dynamic Content Analysis engine

enabling 9-4

Dynamic Vectoring and Streaming engine

see DVS engine

E

editing

WCCP service 2-25

editing the appliance

concurrent editing 1-3

enabling

HTTPS Proxy 11-4

end-user acknowledgement page

configuring 17-3

FTP requests 17-3

HTTPS requests 17-3

overview 17-2

end-user notification pages

customizing 17-12

formatting text 17-10

HTML tags 17-10

native FTP 17-9

on-box notification pages 17-6

tokens 17-12

user defined notification pages 17-7

variables 17-12

end-user URL category page

configuring 17-9

warning users 9-19

etherconfig command

VLAN 2-28

evaluating Data Security Policy membership

matching client requests 16-4

evaluating External DLP Policy membership


evaluating Outbound Malware Scanning membership


expired keys

overview A-5

exporting

reports 18-5


and URL Category changes 9-5

externaldlpconfig

CLI command 16-2

External DLP Policies

configuring 16-11

creating 16-5

defining external DLP servers 16-8

load balancing 16-10

logging 16-11

membership 16-4

minimum request size 16-2







external DLP servers

see DLP servers

F

failover

DLP servers 16-10

feature keys

adding manually 22-4

expired keys A-5

overview 22-3

settings 22-4

Federal Information Processing Standards 22-21

Federal Information Processing Standards (FIPS) 22-21

feedback about this documentation, sending C-3

Index


file analysis 14-1

file reputation filtering 14-1

filtering

adult content 9-16

category 10-11, 16-7

data in Cisco IronPort Data Security Policies 16-8

Web Reputation 16-8

FIPS

certificate requirements 22-22

compliance 22-21

mode 22-22

formatting

end-user acknowledge pages 17-10


forwarding method

L2 2-27

FTP

configuring notification messages 17-9

end-user acknowledgement page 17-3

G

generating

root certificates 11-5

global identity 6-1

greylist address

see ambiguous address

grouping, of appliances for File Analysis result details in the cloud 14-9

GUI

configuring language 22-10

H

hard power reset 22-5

hardware issues, troubleshooting A-7

hash versus mask for load balancing 2-27

headers

custom 21-38

heuristic analysis

McAfee scanning engine 13-6

hostkeyconfig command 21-13

hostname

changing 2-31

HTTPS

bypassing decryption A-9

end-user acknowledgement page 17-3

logging A-13

routing 11-13

HTTPS Proxy

configuring 11-4

Ports to Proxy 11-5

I

Identities 9-5


installation

reverting 22-33

installing the appliance

setup worksheet 2-8

instant messaging traffic

controlling 15-8

interfaceconfig command

VLAN 2-29

invalid

signing, leaf certificate 11-12

invalid certificates

handling 11-12

IP spoofing

WCCP service 2-28

IPv4 2-19

IPv4/IPv6 2-18

IPv6 2-19

Index


K

Kerberos 5-1

key files

supported formats 11-9

keys

overview 22-3

known allowed address

defined 20-2

known malware address

defined 20-2

L

L2

forwarding method 2-27

L4 Traffic Monitor

ambiguous addresses 20-2

anti-malware rules 20-2

interfaces 2-8

known allowed addresses 20-2

known malware addresses 20-2

log files 21-29

report 19-8

viewing activity 20-4

L4 Traffic Monitor interfaces

overview 2-8

languages

defining default per user 22-10

user preferences 22-10

LDAP 5-1

load balancing

traffic to external DLP servers 16-10

load-balancing method 2-27

log files


naming convention 21-12

types 21-3

viewing most recent version 21-13

logging

HTTPS requests A-13

redirected traffic 9-19

SMTP transactions 21-5

YouTube headers 21-38

log subscriptions

adding 21-7

editing 21-7

M

Machine ID service 3-7

machine ID service 3-7

MAIL FROM

configuring for notifications 22-14

malware

configuring scanning 13-7

see also anti-malware

malware verdicts

multiple 13-5

manifest XML file 22-33

mask customization for load balancing 2-27

mask versus hash for load balancing 2-27

matching client requests




McAfee scanning engine

categories 13-6

database 13-13

heuristic analysis 13-6

overview 13-6

membership diagram




MIB file

SNMP 22-36

misclassified URLs

Index


reporting 17-6

URL submission tool 9-3

Monitor


MONITOR_AMP_RESP 21-19

monitoring

scheduling reports 18-7

summary data 18-1

system activity 19-2

N

native FTP

configuring notification messages 17-9

with transparent redirection and IP spoofing 2-26

navigating

web interface 1-3

network interfaces 2-18

T1 and T2 2-8

no category (nc) 21-20

no score (ns) 21-20

NTLMSSP 5-1

O

objects

blocking 16-8

OCSP 11-12

on-box notification pages

overview 17-6

outbound malware scanning

overview 12-1


configuring 12-4

creating 12-3

logging 12-6

membership 12-2







Outbound Malware Scan Policy


Overview report 19-2

P

packet capture

overview A-24

starting A-24

passing through traffic


passwords

changing 22-8

PDF

reports 18-5

policy group member definition




policy groups

custom URL categories 9-14


ports

Access Policies 4-18




Ports to Proxy

HTTPS 11-5

preferences

defining for users 22-10

protocols



Index



proxy

see web proxy

Proxy Buffer Memory 19-13

Q

queries

external authentication 5-20

R

redirecting traffic

logging and reporting 9-19

regular expressions

overview 9-21

using in URL filters 9-21

remote upgrades 22-31, 22-32

reporting

redirected traffic 9-19

reporting misclassified URLs 17-6

reports

anonymizing usernames 18-1

Anti-Malware 19-6

Application Visibility 19-5

archiving 18-9

charts 18-4

Client Detail 19-7

Client Malware Risk 19-7

Client Malware Risk Page 19-7

custom date ranges 18-3

exporting data 18-5

graphs 18-4

interactive display 18-1


making usernames unrecognizable 18-1

Malware Category 19-6

Malware Threat 19-6

Overview 19-2

printing to PDF 18-5

Reports by User Location 19-9

return address 22-14

scheduling 18-7

search option 18-3

System Capacity 19-13

System Status 19-13

time range for scheduled reports 18-7

time ranges 18-3

uncategorized URLs 19-5

URL Categories 19-4

Web Reputation Filters 19-7

Web Sites 19-4

Reports by User Location report

overview 19-9

reputation filtering

file 14-1

result codes 21-16

retrospective verdict 14-14

return addresses

configuring 22-14

revert

installation 22-33

RFC

1065 22-35

1066 22-35

1067 22-35

1213 22-36

1907 22-36

2571-2575 22-35

rolling over log files 21-11

root certificates

generating 11-5

uploading 11-5

routes

default route 2-23

overview 2-22

split routing 2-22

Index


routing

HTTPS 11-13

Routing Policies 9-5


S

SaaS Access Control

multiple appliances 7-4

overview 7-1

zero day revocation 7-1

safe search

enforcing 9-16

sandboxing. See file analysis

scanning verdicts

anti-malware 21-40

Secure Mobility

report 19-9

SensorBase Network 1-4

sethostname command

overview 2-31

Simple Network Management Protocol

see SNMP

site content rating

enforcing 9-16

SMI file

SNMP 22-36

SMTP transactions

logging 21-5

SNMP

community string 22-36

MIB file 22-36

overview 22-35

SMI file 22-36

SNMPv1 22-36

SNMPv2 22-36

specifying multiple trap targets 22-37

traps 22-37

SOCKS

configuring 4-17

enabling 4-17

overview 4-16

policies 4-17

Sophos scanning engine

overview 13-6

split routing

defined 2-22

SSH

using with the CLI B-1

subnet





supported languages

configuring default 22-10

supportrequest command A-25

System Capacity report

overview 19-13

System Setup Wizard

Security page 2-15

System Status report 19-13

T

T1 and T2 interfaces

overview 2-8

Threat Risk Threshold

Webroot 13-8

time and volume quotas 17-2

time based policies

URL Filters 9-20

time ranges


tokens

see variables

transaction result codes 21-16

transparent mode

Index


transparent redirection 2-24

transparent redirection 2-27

adding a WCCP service 2-25

L2 forwarding method 2-27

overview 2-24

WCCP services 2-25

U

UDP_MISS 21-16

uncategorized URLs

defined 9-2

in reports 19-5

URL submission tool 9-3

unrecognized

root authority/issuer 11-12

unrecognized root authority

invalid certificates 11-12

updates

manual updates 22-28, 22-29

overview 22-32

upgrades

available 22-28

configuring upgrade settings 22-32

remote 22-31, 22-32

requirements for local upgrade servers 22-31

uploading

certificate files 11-10

root certificates 11-5

upstream proxy

file reputation 14-8

URL




URL categories 9-19

abbreviations 9-25

blocking 16-7

descriptions 9-25

uncategorized URLs 19-5

URL Categories report 19-4

URL category set

updates 9-4, 19-5, 22-3

URL Filters

configuring 9-9

custom categories 9-14

database 9-3

enabling 9-4

no category 9-2

regular expressions 9-21

time based 9-20

URL category descriptions 9-25

viewing filtering activity 9-21

URL submission tool

using 9-3

user accounts

about 22-6

managing 22-6

user agents




user defined notification pages

example 17-7

overview 17-7

parameters 17-8

user location




usernames

making unrecognizable in reports 18-1

user passwords 22-8

user preferences

defining 22-10

Index


V

validating

certificates 11-9

variables


VLAN

etherconfig command 2-28

interfaceconfig command 2-29

labels 2-28

VRT. See file analysis.

W

W3C access logs

overview 21-24

warning page

end-user URL category page 17-9

warning users 9-19

configuring end-user warning page 17-9

using URL categories 9-19

WBRS

see also Web Reputation Filters

WCCP router

WCCP services 2-25

WCCP services

adding 2-25

editing 2-25

IP spoofing 2-28

overview 2-25

web browsers

supported 1-3

web interface

browser requirements 1-3

navigating 1-3

web proxy

overview 4-16

Web Reputation Filters

about 13-2


configuring Access Policies 13-12

database 13-13

how it works 13-2

report 19-7

scores 13-2

Webroot scanning engine

database 13-13

overview 13-5

Threat Risk Threshold 13-8

Web Sites report 19-4

whitelist address

see known allowed address

Y

YouTube

headers 21-38

YouTube, logging added headers for 21-38

Z

zero day revocation

defined 7-1

Index


Date post:	17-Mar-2020
Category:	Documents
Upload:	others
View:	17 times
Download:	0 times